Ducktail, a well-known phishing campaign that hijacks Facebook accounts running ad campaigns for businesses, is now distributing entirely new information-stealing malware.
According to Zscaler researchers (opens in a new tab), Ducktail previously used LinkedIn to distribute malware written in .NET Core that would steal Facebook business account data stored in a web browser and leak it to a private Telegram channel. which acted as malware. command and control (C2) server, which communicates with target systems to coordinate cyberattacks.
Now, however, Ducktail has been seen distributing a new malware variant that can not only steal Facebook-adjacent data, but also other sensitive data stored in browsers, such as data related to crypto wallets, currency, account information, and data. system basics.
Browser data theft
C2 has also been changed: the data is no longer transmitted to a Telegram channel, but to a JSON website that also stores account tokens and other data needed for fraud on the device.
Zscaler also claimed that the malware was shared as a file uploaded to a legitimate file hosting service. The attackers, they say, ensured that the antivirus software did not flag the malware by loading it only in memory.
Users can mitigate the damage of Ducktail and other malware by switching to an anonymous browser or simply making sure not to save sensitive information in the browser of their choice.
This is particularly important because if the malware compromises an endpoint with a Facebook business account, it can search for additional sensitive financial details, such as PayPal data. This includes amounts spent on certain purchases, verification statuses, etc.
In most cases, attackers using malware try to trick people into downloading it by presenting it as movie subtitle files, adult content, or illegitimate software cracks.
While it's true that Ducktail's new information stealer could evade antivirus software, software that comes with built-in web protection could still be useful by blocking access to suspicious sites that might have it.
Via: BleepingComputer (Opens in a new tab)