Vietnamese Hackers Reinvent the Ducktail Malware Twice in Three Months

According to ZScaler, the latest iteration of the Ducktail malware is designed to carry out infostealing attacks like its predecessor but with certain operational differences.

October 20, 2022

Hackers are targeting Facebook Business accounts, cryptocurrency, and credential information using a new PHP variant of the Ducktail malware. According to ZScaler, this new iteration of the malware is designed to carry out infostealing attacks like its predecessor but with certain operational differences.

Ducktail is an infostealer that originated in Vietnam a few years ago. It received upgrades in July 2022 for a new campaign to target LinkedIn users using social engineering as the vector, as documented by WithSecure.

Now, ZScaler discovered that the new PHP-based Ducktail variant shares its malicious intentions with the previous .NetCore-based variant of Ducktail, i.e., exfiltrating credentials-related information saved in web browsers, Facebook account information, and more.

The difference lies in how it approaches information theft. Instead of leveraging Telegram as the command and control (C2) channel to exfiltrate data, the PHP-based Ducktail exfiltrates and later stores stolen data on a newly-hosted website in JSON format.

The new Ducktail variant is being distributed through cracked or free versions of Office applications, games, subtitle files, porn-related files, etc., to target the general public instead of employees with specific organizational roles, indicating a shift in its usual modus operandi.

Threat actors behind the Ducktail malware are financially motivated and carefully select their targets, such as those in managerial roles or those from the finance/accounting, digital media or HR departments who may have access to an organization’s financial resources.

For instance, the malware will try to gain payment details of its victim’s Facebook Business Ads Manager and redirect them to its operators’ accounts. However, the threat actors have expanded the scope of who their victim can be, to now include the average user.

See More: Cybersecurity Awareness Month: Eight Security Insights That You Should Know

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancements in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large,” ZScaler noted.

The company found that the threat actors continue to host the malware, mainly within a .ZIP archive, on file hosting services such as Mediafire. When downloaded, extracted, and installed, it executes two different processes, one of which is in the frontend – a ‘Checking Application Compatibility’ GUI dialog to hide the underlying malice detailed below.

Ducktail malware attack execution chain

Ducktail Malware Attack Execution Chain | Source: ZScalerOpens a new window

In the backend, the execution of Ducktail “generates a .tmp file that re-initiates the installer with ‘/Silent’ parameter.” The malware finds home in the %Localappdata%\Packages\PXT, establishes persistence and schedules the execution of the info-stealing code at regular intervals to exfiltrate browser information including cookies, Facebook Business accounts, crypto account information, and more.

The Ducktail malware reminds users to refrain from opening unknown links and downloading software/apps only from trusted sources. Leveraging two-factor authentication (2FA) as an additional security measure is recommended in case a credential is compromised.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON CREDENTIAL THEFT MALWARE

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.