October 17, 2022
A malware known as Ducktail, which steals Windows information, is being used to steal Facebook accounts, browsing data and crypto wallets.
According to the researchers, most of the counterfeit baits for the campaign relate to games, subtitle files, adult videos and cracked MS Office applications that are hoisted in ZIP format on legitimate services.
Ducktail is written in PHP and was first discovered in July 2022 by researchers from WithSecure. For the new strain, Ducktail has replaced the older .NET Core information-stealing malware used in previous campaigns with one written in PHP.
On Ducktail’s infection chain, once executed, the installation takes place in the background, while the victim sees fake Checkjng Application Compatibility popups in the frontend, waiting for a fake application sent by the scammers to install.
After that, the malware is extracted to the %LocalAppData%\PXT folder, which contains the PHP.exe local interpreter, various scripts used to steal information and supporting tools.
While the targeted data includes extensive Facebook account information, sensitive data stored in browsers, browser cookies, cryptocurrency wallets and account information, and basic system data, the information collected is not exfiltrated to Telegram, but is stored on a JSON website that also stores account tokens and data necessary for fraud on the device.
The sources for this piece include an article in BleepingComputer.
