The “Ducktail” information stealing malware has a new PHP-based variant has been seen spreading across the Internet via cracked installers for legitimate software, per research conducted by the security software company Zscaler.
Researchers Stuti Chaturvedi and Tarun Dewan from the Zscaler ThreatLabz explained, "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc."
Ducktail was first seen in late 2021, and is thought to be the work of an anonymous Vietnamese malware creator. The tool’s main purpose seems to be the hijacking of advertising and other business accounts running on Facebook.
What is assumed to be a financially motivated cybercrime operation, the activities were originally reported in late July 2022 by a Finnish security company called WithSecure (formerly F-Secure).
Below is a diagram representing the observed workflow for Ducktail; note that because it relies on an executable installer, if an attacker was able to gain such execution on a target system they would also be able to launch other installer-based attacks.
Prior instances of Ducktail were found to use the online service Telegram for its command-and-control (C2) communications channel—by which data would be exfiltrated from the victim. The new PHP variant instead creates connections to a new website (which can vary) and alters the data to use the JSON format.
The attack methodologies seen by Zscaler use a process of embedding Ducktail in ZIP archive files that are made available on filesharing services (e.g., mediafire.com), and are described to victims as cracked versions of Microsoft software, pornography, or free games.
When the files are executed, this activates a PHP script to launch the information-stealing code; information that is generally seen to be targeted includes the Facebook Business account data, but also browser data and cryptocurrency wallets.
Zscaler warned, "It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large."
Robust employee security awareness training and well-designed device security management programs are both critical components in protecting your business from these types of attacks. Both are subcomponents of a quality security program, which is difficult to properly design and implement without the guidance of a cybersecurity expert and leader—a Chief Information Security Officer (CISO). Unfortunately, good CISOs are a rare commodity in the modern era, which is where Webcheck Security can help. We provide Fractional Information Security Officer (FISO) services by which seasoned CISOs are made available to your organization on an as-needed basis, freeing you from the expense of maintaining an in-house CISO and filling the leadership gap that is difficult to close given the scarcity of CISOs.
Contact Webcheck today for a free discussion of how we can serve you!
