Ducktail Infostealer Returns

Zettasecure monitors all security related threat actors that could target their customers in any way and cause harm to them. Back in September of 2022 we got aware of a new phishing campaign that specifically targets some of our users with access to Meta (Facebook) Business accounts by deploying Infostealer malware on their pcs and stealing all cookies from logged in users. The targets are handpicked by locating companies operating on Meta (Facebook) Business Ads. The operators for that firms are then located possibly with LinkedIn which is also used as a phishing channel. More about that can be found on our first blog entry back in September here.

Ducktail evolves

After the first report from WithSecure was published here, the threat actors changed their operation and switched from directly targeting individuals and businesses to targeting the public at large. This is done by deploying different malicious files in .zip format posing as cracked or free software versions from Microsoft Office, different games, programs, subtitle files, and more. The attackers then lure a victim into downloading and executing these files. To gain trust from their victims, those .zip files are mostly hosted on trusted file sharing platforms. In one case reported here, victims recieved a malicious archive inside a WhatsApp chat as well, which extens the phishing operation of this threat actor to a never seen channel. A report from ZScaler has also seen that there is a focus on more data then before. According to their analysis following capabilities are now inside this malware:

• Fetches browser information installed in the system.
• Pulls out stored information of browser cookies from the system. 
• Targets Meta Business Accounts. 
• Looks for crypto account information in the wallet.dat file. 
• Collects and sends the data to the command and control (C&C) server (Currently Telegram Servers).

As we can see, there is a shift from just the Meta (Facebook) Accounts to a broader approach. After the infection and the exfiltration of the data occured, hands-on work starts by the threat actors and more information theft will be conducted on the infected system.

How to protect myself from these attacks?

This type of attack mostly focuses on Social Engineering tactics onto all employees with access to accounts and sensitive information. Therefore we suggest you the following steps to reduce the impact on your company and the users:

• Use an updated Endpoint Detection and Response solution (Like SentinelOne Complete).
• Conduct an awareness training on how to detect phishing properly.
• Assess your attack surface to know which employees might be affected. Start by focusing on LinkedIn and WhatsApp data dumps.
• Review your Facebook Business users -> Business Manager > Settings > People.
• Revoke access from unknown users and check all your devices.
• Review your YouTube Brand Account users-> Settings > Account > Add or remove manager(s). Revoke access from unknown users and check all your devices.
• Logout after every session and login at the next one. A password manager would help you with that.
• Use MFA on all manager accounts.
• Never download any files not relevant for your work.

Last but not least, check if you are already infected with Ducktail by checking all public available IoCs from here. If so, reach out to Zettasecure and we will help you mitigating this attack.