WithSecure - formerly F-Secure Business - has detected a new infostealer malware: DUCKTAIL. The malware is delivered via LinkedIn spear phishing and then targets Facebook business accounts.
DUCKTAIL targets professionals via LinkedIn spear phishing campaigns to hijack business Facebook accounts. Security researchers from WithSecure™ (formerly F-Secure Business) have discovered an attack campaign dubbed DUCKTAIL targeting individuals and businesses with a Business or Ads account on Facebook. The campaign consists of a malware component that enables information theft and hijacking of Facebook Business. Based on analytics and collected data, WithSecure™ has determined that the campaign is being conducted by a Vietnamese threat actor.
DUCKTAIL probably comes from Vietnam
WithSecure™ discovered the initially unknown malware earlier this year and began analyzing it. It emerged that the threat actor has been actively developing and distributing malware related to the DUCKTAIL campaign since the second half of 2021. Evidence suggests that the threat actor may have been engaged in cybercrime activity as early as late 2018 and has since continuously updated and propagated the malware to enhance its ability to bypass existing or new Facebook security features, as well as other implemented features. The analysis has further revealed that his motives are financial in nature.
Target: Facebook Business accounts
DUCKTAIL's campaigns use a component of the Infostealer malware specifically designed to hijack Facebook Business accounts. This is the first instance of such functionality known to WithSecure™. This distinguishes DUCKTAIL from previous Facebook-targeted malware campaigns. The malware is designed to steal browser cookies and exploit authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account the victim has sufficient access to.
WithSecure™ found that DUCKTAIL scouts its targets via LinkedIn and phishes people who likely have admin access to a Facebook Business account.
Carefully selected targets
🔎 This is how DUCKTAIL attacks (Image: WithSecure).
“We believe scammers carefully select a small number of targets to increase their chances of success and to go unnoticed. The reason for the assumption is that people in senior positions, in digital marketing, digital media and in the human resources department of companies were targeted,” said Mohammad Kazem Hassan Nejad, researcher at WithSecure™ Intelligence, the specialist threat intelligence division of WithSecure™.
The popularity of social networks and media platforms continues to increase. Unfortunately, this tempts cyber criminals to misuse these platforms for their own ends, e.g. B. for the distribution of malware, theft, disinformation campaigns and fraud. Malware targeting social platforms like Facebook has been relatively rare due to the security mechanisms implemented by the platforms. However, their large reach and user base make them an interesting attack vector for threat actors.
More at WithSecure.com
About WithSecure WithSecure, formerly F-Secure Business, is the trusted partner in cyber security. IT service providers, managed security services providers and other companies trust WithSecure - as do large financial institutions, industrial companies and leading communication and technology providers. With its results-oriented approach to cyber security, the Finnish security provider helps companies to put security in relation to operations and to secure processes and prevent business interruptions.