Description
A new PHP version of the Ducktail malware campaign has been designed for Windows to target Facebook business accounts, browser data and cryptocurrency data.
Summary
The original Ducktail campaign was discovered by researchers from WithSecure in July 2022, associating the attacks to a group of Vietnamese hackers. The campaign enforced social engineering attacks through LinkedIn and delivers a .NET Core malware disguised as a PDF file that supposedly details a marketing project. This malware was designed to target information stored in browsers, with its main focus on the data stored on Facebook business accounts, and exfiltrated this data to a private Telegram channel acting as a command and control (C2) server. This stolen information is used by hackers for financial fraud and malicious advertising.
However, in August 2022, the Zscalar research team spotted signs of a new instance of the Ducktail campaign which now utilizes a PHP info-stealer targeting Windows systems. The old .NET Core malware was replaced with a new malware written in PHP and is now embedded in cracked video games, subtitle files, adult videos and cracked Microsoft Office applications. The malware poses as an installer for these files, which appear in a ZIP file and are available on popular file-sharing services such as mediafire.com.
When the malware disguised as an installer is executed, the installation takes place in the background where it displays a fake “Checking Application Compatibility” pop-up in the frontend, while the malware is being extracted to the %LocalAppData%PackagesPXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools. The malware achieves persistence by scheduling tasks to be executed daily and at regular intervals. The info-stealing script is an obfuscated (Based64) PHP script that is deciphered on the systems memory instead of the local disk which minimizes the chances of the malware being detected. This script targets extensive Facebook business account data such as currency details and payment methods, sensitive data stored in browsers such as passwords, browser cookies, cryptocurrency account information, and system data. The new campaign got rid of the Telegram C2 and now stores the exfiltrated data in JSON format on a newly hosted website operated by the hackers.
Indicators of Compromise:
For a list of IOCs related to the malware campaign, following the URL for related IP addresses, URLs and hashes: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts
Remediation
To circumvent this type of malware, users are advised to follow the steps below:
Be wary of suspicious instant messages on LinkedIn containing any links or attachments.
Avoid downloading any form of cracked software as the malware comes bundled in the installer.
Be cautious when downloading files from file-sharing services.
PDF Download: New information stealing malware targets Facebook business accounts.pdf
References
Toulas, B (2022, October 16). New PHP information-stealing malware targets Facebook accounts. Retrieved from the BleepingComputer
https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/
Lakshmanan, R (2022, October 14). New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts. Retrieved from the Hacker News.
https://thehackernews.com/2022/10/new-php-version-of-ducktail-malware.html
Zscaler ThreatLabz research team. (2022, October 13). New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts. Retrieved from Zscaler
https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts