Ducktail malware uses LinkedIn to hack Facebook business accounts

15 November 2023 3 minutes Author: Newsman

Who are Ducktail’s targets?

Researchers at WithSecure (formerly F-Secure) have revealed details of a new phishing campaign targeting business Facebook accounts. The campaign is valid from at least July 2021. According to the researchers, the attack involves the use of a hack called Ducktail, designed to steal browser cookies for real information about Facebook sessions and Facebook accounts. The goal is to hijack all professional accounts available to the victim.

According to WithSecure, the Ducktail malware targets “individuals and organizations” that use Facebook’s advertising and business services. People in digital marketing, executive jobs, HR and digital media are prime targets.

The way the campaign works is that attackers discover targets through LinkedIn and spread the malware. WithSecure researcher Mohammad Kazem Hassan Nejad wrote the report and said that most phishing campaigns target people through LinkedIn.

“If you’re in a position that has administrative access to corporate social media accounts, it’s important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent by people you don’t know.Said Mohammad Kazem Hasan Nejad – WithSecure

Who is the attacker?

Researchers are convinced that the reason for this financial campaign is a threat from Vietnam. They discovered this campaign earlier in 2022. They believe there is currently no sector or geographic targeting. However, this malware has been continuously updated and modified since Q2 2021. However, the menacing actor has been active since 2018.

How does the scam work?

According to a WithSecure report, malware samples are stored in cloud services such as MediaFire, iCloud and Dropbox. The malware is sent to targeted individuals through LinkedIn, as they often have business accounts on Facebook.
Ducktail malware hosted on iCloud (Image: WithSecure)

The Ducktail malware is written in .NET Core and compiled into a single file so that its binary can run regardless of the victim’s computer’s .NET runtime. An attacker can use Telegram for C&C by injecting the Telegram.Bot client and other external dependencies into a single executable.

Ducktail provides a persistent single instance and continues to scan installed browsers to determine cookie paths. Ducktail can collect general information and steal data related to Facebook, which is then transmitted to Telegram in several scenarios, such as after the hijack, when the code loop is completed, or when the process crashes/closes.

Newer versions of Ducktail run an infinite loop in the background that continuously pulls new updates and cookies from the victim’s Facebook account to interact with it and create an email ID with admin access and finance editor roles controlled by the attacker.

In this way, the attacker gains full control of the account and changes the company’s credit card or other financial details, such as transactions, payment methods, etc.

Operation Ducktail (Image: WithSecure)

Ducktail Malware Protection

The best way to protect yourself from the Ducktail malware is to carefully monitor the opening of emails and attachments from unknown senders and avoid clicking on links in emails.

Avoid clicking on links or downloading attachments sent by anonymous users via LinkedIn chat or Facebook Messenger. You should also always use strong passwords and two-factor authentication whenever possible. You should also update your device to the latest security patches to reduce the risk of being infected by Ducktail or any other malware.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.