A brand new phishing campaign named Ducktail targeted admin profiles of enterprise networks on LinkedIn to take over Facebook business accounts responsible for managing advertisements for the organization.
The threat actors operating Ducktail have been observed to have narrow targeting scope as they select mostly admins of enterprise social media accounts. The security researcher of WithSecure, a widely known global IT-security company, has been tracking Ducktail. According to WithSecure, the threat actors are of Vietnamese origin and they initiated their activity back in 2018.
Security researchers of WithSecure said that the threat actor targets employees primarily from LinkedIn having Facebook business accounts. So, Ducktail targets employees from digital media or digital marketing backgrounds. Ducktail then convinces the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the threat actor and the potential victim during the convincing stage.
Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials.
The WithSecure security researcher said, “The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”
The malware then crawls to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. After getting access to the victim’s business profile the malware then steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details. The stolen data is exfiltrated through Telegram bots when the malware exits or crashes.
The threat actor usually manages the payment details so that with each Facebook ad run they get the direct payments into their accounts instead of the victim. Security researchers added that the motif of Ducktail threat actors is purely financial.
