Malware descriptions

Ducktail fashion week

Ducktail is a malware family that has been active since the second half of 2021 and aims to steal Facebook business accounts. WithSecure and GridinSoft have covered Ducktail attacks: the infostealer spread under the guise of documents relating to well-known companies’ and brands’ projects and products. Both public reports attribute the Ducktail attacks to a group that presumably hails from Vietnam. We have analyzed a recent campaign that ran between March and early October 2023 and targeted marketing professionals. An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language.


The campaign saw the bad actor send out an archive containing images of new products by bona fide companies along with a malicious executable disguised with a PDF icon. When started, the malware would open a real, embedded PDF file that contained the job details. The attack was tailored to target marketing professionals looking for a career change. The choice of victims and the distinctive means used by the threat actor led us to assume early on that the campaign was about spreading a new version of Ducktail.

The malware would install a browser extension capable of stealing Facebook business and ads accounts, likely for subsequent sale.

Ducktail and the malicious extension

We examined a large number of archives from the latest campaign: in each case, a copy of Ducktail was emailed in the name of a major clothing company.

The contents of the malicious archive

The contents of the malicious archive

If opened by an interested victim, the malicious file saves a PowerShell script named param.ps1 and a PDF decoy locally to C:\Users\Public. The script uses the default PDF viewer on the device to open the decoy, pauses for five minutes, and then terminates the Chrome browser process.

While the script stands by, the parent executable saves a malicious library named libEGL.dll to C:\Users\Public\Libraries\ and then loads it. When launched, the library goes over every LNK file that it finds in:

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\,
  • C:\ProgramData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\,

and on the desktop, altering the launch string for all Chromium-based browsers (Google Chrome, Edge, Vivaldi, Brave) by adding the following code: --load-extension="C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\fjoaledfpmneenckfbpdfhkmimnjocfa"

Some of the library strings required for the malicious code to run are encrypted with the AES-CBC key “gnghfn47n467n43b” and the initialization vector “dakfhskljh92384h”.

The use of the strings containing the AES key and initialization vector as featured in the code

The use of the strings containing the AES key and initialization vector as featured in the code

In addition to launching the library, the parent file saves malicious browser extension files to C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\fjoaledfpmneenckfbpdfhkmimnjocfa. The extension disguises itself with the Google Docs Offline icon and description text, while the directory that features in the path (fjoaledfpmneenckfbpdfhkmimnjocfa) is used by the bona fide extension NordVPN. It is worth noting that other variants of the malware may use different paths to host the extension.

The malicious extension as seen in Google Chrome (left) and the authentic Google Docs Offline extension (right)

The malicious extension as seen in Google Chrome (left) and the authentic Google Docs Offline extension (right)

The core exception script is obfuscated. It constantly sends the details of all open browser tabs to the command-and-control (C&C) server, and if detecting Facebook-related URLs, checks for ads and business accounts to try and steal them. In particular, the extension snatches cookies and details of accounts that the victim is signed in to on the device. To bypass two-factor authentication, the extension uses Facebook API requests and Vietnam’s 2fa[.]live service, which offers various auxiliaries for generating one-time access codes, among other things. This is probably how the hackers log in after the user’s authentication session has expired. Stolen credentials and cookies are forwarded to a C&C server registered in Vietnam.

Malicious file usage flowchart

Malicious file usage flowchart

In this campaign, in addition to the main script, the malware would save to the extension folder a script named jquery-3.3.1.min.js, a corrupted version of the core script from prior attacks.

DuckTail attack geography

According to our telemetry, cybercriminals most often attacked users in India. Our solutions also stopped infection attempts on devices of users in Kazakhstan, Ukraine, Germany, Portugal, Ireland, Greece, Jordan, Pakistan, Vietnam, UAE, USA, Peru and Chile.


Tactic Technique ID Technique
Initial Access T1566.001 Phishing: Spearphishing Attachment
Persistence T1176 Browser Extensions
Execution T1059.001 Command and Scripting Interpreter: PowerShell
T1129 Shared Modules
T1204.002 User Execution: Malicious File
Enterprise T1539 Steal Web Session Cookie
Resource Development T1583.001 Acquire Infrastructure: Domains
Reconnaissance T1589 Gather Victim Identity Information
T1598.002 Phishing for Information: Spearphishing Attachment
Defense Evasion T1027 Obfuscated Files or Information
Command and Control T1071.001 Application Layer Protocol: Web Protocols
T1132.001 Data Encoding: Standard Encoding
Exfiltration T1041 Exfiltration Over C2 Channel

Indicators of compromise



Ducktail fashion week

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox