Ducktail, a well-known phishing campaign that hijacks Facebook accounts that run ad campaigns for businesses, is now distributing a brand new infostealer malware.
According to researchers from according to Zscaler (opens in new tab)Ducktail previously used LinkedIn to distribute a piece of malware written in .NET Core that uses Facebook Business account information stored in a web browser and exfiltrate it into a private Telegram channel that acted as the malware’s command & control server (C2), communicating with target systems to coordinate cyber-attacks.
However, now Ducktail has been spotted spreading a new malware variant that can steal not only Facebook-adjacent data, but other sensitive data stored in browsers, such as data related to cryptocurrency wallets, account information and basic system data.
Stealing browser data
The C2 has also changed – the data no longer goes to a Telegram channel, but to a JSON website that also stores account tokens and other data necessary for fraud on the device.
Zscaler also claimed that the malware is shared as an archive file uploaded to a legitimate file hosting service. The attackers, they say, made sure that the malware is not flagged by antivirus software by loading into memory only.
Users can mitigate the damage caused by Ducktail and other malware by switching to a anonymous browseror just make sure you don’t store sensitive information in the browser of your choice.
This is especially important because, if malware is a end point with a Facebook Business account, they can search for additional sensitive financial details, such as PayPal information. This includes amounts spent on certain purchases, verification statuses, and more.
In most cases, attackers who use malware try to trick people into downloading it by presenting it as movie subtitle files, adult content, or pirated software cracks.
While it’s true that Ducktail’s new infostealer could evade antivirus software, software that comes with built-in web protection can still help by blocking access to suspicious sites that may have it.
Via: BleepingComputer (opens in new tab)