DUCKTAIL operation targets Facebook’s Business and Ad accounts

July 27, 2022  By Pierluigi Paganini


Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.

Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.

The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).

“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation

Ducktail

Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.

Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.

“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”

Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ducktail operation)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

The strange similarities between Lockbit 3.0 and Blackmatter ransomware

 Researchers found similarities between LockBit 3.0 ransomware and BlackMatter, which is a rebranded variant of the DarkSide...