New PHP Version of Ducktail info-stealer hijacks Facebook Business accounts

Pierluigi Paganini October 15, 2022

Experts spotted a PHP version of an information-stealing malware called Ducktail spread as cracked installers for legitimate apps and games.

Zscaler researchers discovered a PHP version of an information-stealing malware tracked as Ducktail. The malicious code is distributed as free/cracked application installers for a variety of applications including games, Microsoft Office applications, Telegram, and others.  

Ducktail has been active since 2021, the experts believe it was operated by a Vietnamese threat group. In July 2022, researchers from WithSecure (formerly F-Secure Business) discovered a DUCKTAIL campaign targeting individuals and organizations that operate on Facebook’s Business and Ads platform.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

DUCKTAIL samples analyzed in the past were written in .NET Core and were compiled using its single file feature.

“Earlier versions (observed by WithSecure Labs) were based on a binary written using .NetCore with Telegram as its C2 Channel to exfiltrate data.” reads the analysis published by Zscaler. “In August 2022, the Zscaler Threatlabz team saw a new campaign consisting of a new edition of the Ducktail Infostealer with new TTPs. Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.”

In this campaign, the threat actors employed a new website to host data. The data are stored in JSON format and are used to perform stealing activities. The same host is used to store data stolen from the victims.

Unlike previous Ducktail campaigns, the most recent one is targeting the public at large, rather than specific employees with Admin or Finance access to Facebook Business accounts.

The malware is distributed in .ZIP files hosted on file-sharing platforms (i.e. mediafire[.]com), posing as cracked or free versions of Office applications, games, subtitle files, porn-related files, and others.

Ducktail Facebook malware

In the last campaign the malicious code is a PHP script that launch the code used to steal the data from victims’ browsers, cryptocurrency wallets, and Facebook Business accounts.

The malware achieves persistence by triggering a series of events to execute a malicious payload named “libbridged.exe.”The executable schedules tasks in three forms to ensure that the malicious code gets executed on a daily basis and on regular intervals.

Once executed, the malware scrutinizes the various Facebook pages to steal information from them. The pages analyzed by the malicious code belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. It fetches the unique User ID of the victim machine using the c_user argument.

Looking over Facebook Business Ads Manager links, the malicious code will access details of accounts and payment cycles.

Below is the list of details that the malware attempts to fetch from the Facebook Business pages: 

  • Payment initiated
  • Payment required
  • Verification Status
  • Owner ad accounts
  • Amount spent
  • Currency details
  • Account status
  • Ads Payment cycle
  • Funding source
  • Payment method [ credit card, debit card etc.]
  • Paypal Payment method [email address]
  • Owned pages. 

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large.” concludes the report. “Zscaler’s ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ducktail)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment