Ducktail is a malware family that has been active since the second half of 2021 and aims to steal Facebook business accounts. WithSecure and GridinSoft have covered Ducktail attacks: the infostealer spread under the guise of documents relating to well-known companies’ and brands’ projects and products. Both public reports attribute the Ducktail attacks to a group that presumably hails from Vietnam. We have analyzed a recent campaign that ran between March and early October 2023 and targeted marketing professionals. An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language.
The campaign saw the bad actor send out an archive containing images of new products by bona fide companies along with a malicious executable disguised with a PDF icon. When started, the malware would open a real, embedded PDF file that contained the job details. The attack was tailored to target marketing professionals looking for a career change. The choice of victims and the distinctive means used by the threat actor led us to assume early on that the campaign was about spreading a new version of Ducktail.
The malware would install a browser extension capable of stealing Facebook business and ads accounts, likely for subsequent sale.
Ducktail and the malicious extension
We examined a large number of archives from the latest campaign: in each case, a copy of Ducktail was emailed in the name of a major clothing company.
If opened by an interested victim, the malicious file saves a PowerShell script named param.ps1 and a PDF decoy locally to C:\Users\Public. The script uses the default PDF viewer on the device to open the decoy, pauses for five minutes, and then terminates the Chrome browser process.
While the script stands by, the parent executable saves a malicious library named libEGL.dll to C:\Users\Public\Libraries\ and then loads it. When launched, the library goes over every LNK file that it finds in:
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\,
- C:\ProgramData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\,
and on the desktop, altering the launch string for all Chromium-based browsers (Google Chrome, Edge, Vivaldi, Brave) by adding the following code:
Some of the library strings required for the malicious code to run are encrypted with the AES-CBC key “gnghfn47n467n43b” and the initialization vector “dakfhskljh92384h”.
In addition to launching the library, the parent file saves malicious browser extension files to C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\fjoaledfpmneenckfbpdfhkmimnjocfa. The extension disguises itself with the Google Docs Offline icon and description text, while the directory that features in the path (fjoaledfpmneenckfbpdfhkmimnjocfa) is used by the bona fide extension NordVPN. It is worth noting that other variants of the malware may use different paths to host the extension.
The core exception script is obfuscated. It constantly sends the details of all open browser tabs to the command-and-control (C&C) server, and if detecting Facebook-related URLs, checks for ads and business accounts to try and steal them. In particular, the extension snatches cookies and details of accounts that the victim is signed in to on the device. To bypass two-factor authentication, the extension uses Facebook API requests and Vietnam’s 2fa[.]live service, which offers various auxiliaries for generating one-time access codes, among other things. This is probably how the hackers log in after the user’s authentication session has expired. Stolen credentials and cookies are forwarded to a C&C server registered in Vietnam.
In this campaign, in addition to the main script, the malware would save to the extension folder a script named jquery-3.3.1.min.js, a corrupted version of the core script from prior attacks.
DuckTail attack geography
According to our telemetry, cybercriminals most often attacked users in India. Our solutions also stopped infection attempts on devices of users in Kazakhstan, Ukraine, Germany, Portugal, Ireland, Greece, Jordan, Pakistan, Vietnam, UAE, USA, Peru and Chile.
MITRE ATT&CK Matrix
|Initial Access||T1566.001||Phishing: Spearphishing Attachment|
|Execution||T1059.001||Command and Scripting Interpreter: PowerShell|
|T1204.002||User Execution: Malicious File|
|Enterprise||T1539||Steal Web Session Cookie|
|Resource Development||T1583.001||Acquire Infrastructure: Domains|
|Reconnaissance||T1589||Gather Victim Identity Information|
|T1598.002||Phishing for Information: Spearphishing Attachment|
|Defense Evasion||T1027||Obfuscated Files or Information|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols|
|T1132.001||Data Encoding: Standard Encoding|
|Exfiltration||T1041||Exfiltration Over C2 Channel|
Indicators of compromise