Ducktail Infostealer Detection: Criminal Hackers Hijack Business Accounts With New Malware

Financially motivated criminal hackers leverage a new infostealer dubbed Ducktail to exfiltrate browser cookies and take over victims’ Facebook Business accounts. The evidence suggests that the adversaries behind the campaign are Vietnam-based, primarily targeting professionals working in HR, management, and marketing. The beginning of the active development of the Ducktail campaign can be traced back to the second half of 2021.

Adversaries propagate the malware via a spear phishing campaign targeting their victims on Linkedin.

Ducktail Malware Campaign Detection

To ensure your system is not a sitting duck for infostealers such as Ducktail, use a dedicated Sigma rule released by the seasoned content contributor Aytek Aytemur:

New Ducktail Infostealer Malware (via process_creation)

The detection has translations for 24 SIEM, EDR & XDR platforms. The rule is aligned with the MITRE ATT&CK® framework v.10, addressing the Defense Evasion, Execution, and Command and Control tactics with Process Injection (T1055), User Execution (T1204), and Web Service (T1102) as the primary techniques.

Both seasoned and aspiring threat hunters are welcomed to share their Sigma-based content by joining SOC Prime’s Threat Bounty Program for professional guidance and stable income.

Follow the updates of detection content addressing infostealer malware compromises in the Threat Detection Marketplace repository of the SOC Prime Platform to stay well-informed of emerging threats – the View Detections button will take you to the vast library of rules translated to 26+ SIEM, EDR, XDR solutions. Browse an industry-leading search engine for Threat Hunting, Threat Detection, and Cyber Threat Intelligence to instantly reach relevant Sigma rules accompanied by contextual metadata, including MITRE ATT&CK and CTI references, CVE descriptions, executable binaries linked to detections, and more by clicking the Explore Threat Context button.

Detect & Hunt Explore Threat Context

Ducktail Analysis

The malware campaign dubbed Ducktail was detailed by analysts from WithSecure. Based on the observed attacks, Ducktail operators target corporate users with admin access to Facebook’s Business and Ads platform, luring them into downloading bogus Facebook advertising information hosted on Dropbox, Apple iCloud, and MediaFire. There are instances of the threat actors behind the Ducktail campaign spreading malware via Linkedin by sending out weaponized archive files. The attacks are wide-ranging, targeting victims across different industry verticals globally.

Ducktail infostealer malware is written in .NET Core. Adversaries use Telegram for command-and-control communication and data exfiltration. When the victim executes the malware, it scans for browsers installed on the compromised device to exfiltrate stored cookies and all relevant Facebook-related data. The malware also runs an infinite loop in the background which establishes a continuous exfiltration process.

In the modern cyber weapon arms race, a timely response to attacks launched by criminal hackers can save your company from a dire financial and reputational setback. Join SOC Prime to enhance your defenses and transform Threat Detection with the power of collective cybersecurity expertise.