In the ever-evolving landscape of cybersecurity, new threats emerge regularly, challenging the defenses of businesses and individuals alike.
One such emerging threat is a sophisticated malware known as Ducktail, which specifically targets Facebook Business accounts. Let’s delve into the workings of Ducktail, its unique characteristics, and crucial protection measures.
Our researchers have recently uncovered a new strain of malware from the Ducktail family. The cybercriminals behind this threat have a specific target – company employees in senior positions or those working in HR, digital marketing, or social-media marketing. The aim? To hijack Facebook Business accounts, an asset of immense value for any modern business.
Ducktail operates through a cleverly disguised mechanism. The attackers send out malicious archives to potential victims. These archives contain bait - theme-based images and video files on a common topic, designed to lower the guard of the recipient. For instance, in a campaign from March to early October 2023, the theme was fashion, with emails purportedly from major players in the fashion industry containing photos of clothing items.
However, these archives also conceal executable files. These files, masquerading as harmless PDF documents, actually have EXE extensions. Their long, carefully chosen file names are intended to distract the victim from their true nature. In the fashion-themed campaign, file names related to “guidelines and requirements for candidates” were used, but this could vary to include price lists or commercial offers, depending on the campaign.
Upon clicking the disguised EXE file, a malicious script activates on the victim's device. While displaying a PDF file to maintain the façade, the malware simultaneously scans for shortcuts to Chromium-based browsers like Google Chrome, Microsoft Edge, Vivaldi, and Brave. It then alters the command line of these shortcuts, adding an instruction to install a browser extension – also part of the executable file. Following this, the script terminates the browser process, prompting a restart that would use the modified shortcut.
This extension, once installed, poses as Google Docs Offline, even using the same icon and description (though only in English, which could be a giveaway in some regions). It continuously monitors all browser tabs, sending information to the attackers’ command-and-control (C2) server. Particularly, it seeks Facebook tabs to hijack Ads and Business accounts, stealing information from these accounts and active session cookies.
The group behind Ducktail has been active since 2018, with its distribution traceable back to 2021.
Protection against Ducktail involves basic digital hygiene:
Avoid Suspicious Downloads: Never download dubious archives, especially from untrusted sources on work computers.
Check File Extensions: Scrutinize the extensions of all files downloaded from the internet or via email before opening them.
Beware of Deceptive Files: Avoid clicking files that appear harmless but have an EXE extension, a clear malware indicator.
Install Reliable Protection: Use robust cybersecurity solutions on all work devices. These can detect threats like Ducktail and provide timely alerts.
The Ducktail malware exemplifies the sophisticated tactics cybercriminals employ to breach corporate defenses. Its focus on Facebook Business accounts highlights the importance of these platforms in today’s digital economy. Vigilance and adherence to cybersecurity best practices are the first line of defense against such threats. By understanding the nature of these attacks and implementing strong security measures, businesses and individuals can better protect themselves from the evolving threats in the digital world.
