Zscaler ThreatLabz research team observed a PHP version of “Ducktail” Infostealer distributed as a cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram and others.
Notably, Ducktail has been active since 2021; experts say it could be operated by a Vietnamese threat group. The main objective of this attack campaign is to take control of Facebook Business accounts.
The chain of attack
“Earlier versions (observed by WithSecure Labs) were based on a binary written using .NetCore with Telegram as the C2 channel to exfiltrate data”, Zscaler
In this case, the malicious installer is hosted on a file hosting website. Comparing with previous campaigns, the researchers claim that changes have been made in the execution of malicious code. Additionally, threat actors have moved to a script version where the main stealer code is a PHP script and not a .Net binary.
“Upon execution, the fake installer displays a GUI “Checking Application Compatibility” in the frontend. In the backend, it generates a .tmp file that resets the installer with the parameter ” /Silent” and then another .tmp file is generated”, Zscaler researchers.
The PHP script consists of code to decrypt a base64 encoded text file. Running the decrypted version of the text file will lead to running the custom job schedule binary as the end result.
The researchers say the thief’s code is decrypted at runtime in memory and then performs data theft and exfiltration operations.
Malware Feature
- Retrieves the information of the browser installed in the system.
- Extracts stored information from system browser cookies.
- Targets Facebook Business accounts.
- Looks up crypto account information in the wallet.dat file.
- Collects and sends data to the command and control (C&C) server.
Further, the malicious script collects information about installed browsers in the system and extracts essential data like machine ID, browser version and file name from it and copies those data.
Targeting Facebook pages to steal information
In this case, the malware examines the various Facebook pages to steal information. These pages belong to the Facebook API graph, Facebook Ads Manager and Facebook Business accounts.
By looking for Facebook Business Ads Manager links, the malicious code will gain access to details of accounts and payment cycles. The malware tries to get the list of Facebook Business page details:
- Payment initiated
- Payment Required
- Verification status
- Proprietary Ad Accounts
- Amount spent
- Currency Details
- Account Status
- Ad payment cycle
- Source of funding
- Payment method [credit card, debit card etc.]
- Paypal payment method [email address]
- Pages owned.
Subsequently, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which will then be used to collect information.
“The Ducktail Steerer campaign continually makes changes or enhancements to delivery mechanisms to steal a wide variety of sensitive user and system information targeting users in general,” the researchers said.
Also Read: Download Secure Web Filtering – Free Ebook
