August 3, 2022
Vietnamese threat actors are using a malware called Ducktail to hijack high-profile Facebook Business and advertising platform accounts.
The campaign was uncovered by security researchers at WithSecure. The malware uses browser cookies from authenticated user sessions to take over accounts and steal data.
“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to,” researchers wrote on a blog post.
To spread the malware, the financially driven threat actors target LinkedIn users through a phishing campaign. This entices victims with brand, product, and project-related keywords to download an archive file containing the executable malware.
According to researchers, Ducktail works with six key components when it infects a system. It performs Mutex creation and ensures that only one instance of the malware works simultaneously.
Ducktail has two components that are dedicated to stealing files. The first scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox. It extracts all cookies in each of the browsers found, including Facebook session cookies.
The second component of information theft is the extraction of data from Facebook Business/Ads accounts that interacts directly with various Facebook endpoints.
The sources for this piece include an article in ThreatPost.
