Cybercriminal activity targeting social media users' accounts with information-stealing malware known as Ducktail has increased dramatically, with Vietnam-based attackers leading the new surge, according to information compiled by WithSecure. He continues to do so.
Ducktail first emerged a little more than 12 months ago, targeting business accounts on Facebook and spreading through spear-phishing emails to investigated targets suspected of having administrative privileges on Meta's business services.
This is typically hosted on public cloud file storage services and contains malware along with image, document, and video files named using keywords related to branding and product marketing to minimize suspicion. Delivered as an archive file.
They then stole browser cookies and leveraged authenticated Facebook sessions to steal the information needed to hijack the meta business accounts the victims supposedly accessed. After stealing access, they attempted to escalate privileges to take over business accounts, thereby expanding the victim organization's presence across Meta's various platforms.
“While the incentives for companies to leverage social media for their own benefit are high, these platforms offer adversaries different intentions and capabilities, and provide different opportunities,” said report author Mohammad Kazem.・Written by Hassan Nejad.
“The adversarial challenges posed by these platforms are pervasive, dynamic, complex, and, most importantly, pernicious. For example, nation-states or state-sponsored attackers may They may be used for reconnaissance, spear phishing, influence operations, etc. But other forms of attack can result in far greater collective damage.”
what's new?
Hassan Nejad explained that the latest Ducktail campaign is being rolled out in a similar way. However, the decoys used by cybercriminals have changed to some extent and now incorporate trending topics such as the growing popularity of generative artificial intelligence (AI) services, such as: Learn about ChatGPT's features and its potential impact on marketers and social media professionals.
Its distribution mechanisms and victimology have also expanded, with invitations centering around job opportunities, something that had not been done before. and others, are abusing fictitious job offers from well-known brands. Retailers Gap, Mango, Macy's and Uniqlo suggest the term is used for job seekers and freelancers.
Ultimately, they still steal session cookies and login credentials, take over accounts, and use victims' money and credits to run fraudulent ads. This process is automated to some extent and is another new feature. In some cases, compromised accounts can be used to extort funds or write mean things about competitors.
“Leveraging such access to leverage existing capabilities of affected companies (such as lines of credit) to run deceptive advertisements is far more valuable to financially motivated cybercriminals. Executing deceptive ads can cause cascading effects on the victims to whom the deceptive ads are served and can materialize and propagate other threats, extending the impact beyond the affected company. ” Hassan Nejad wrote.
Hassan Nejad said the group behind it is clearly more sophisticated and mature and has begun evolving its malware to incorporate anti-analysis and features that can evade detection.
But Hassan Nejad has also observed other important developments in the course of his continued research on ducktails.
In particular, the company currently targets advertising accounts on X, the service officially known as Twitter, and uses its core functionality to collect information from X, such as logged-in user IDs and session cookies. I am.
Perhaps more concerning is the emergence of another new piece of malware, which WithSecure calls Duckport, that has significant overlap with Ducktail.
Unique features of this new malware include the ability to take screenshots, exploit online note-sharing services in the command-and-control chain, and expose and access victim machines from the public internet. Masu.
Neeraj Singh of WithSecure, who supported the study, argued that the involvement of different but similar groups indicates some kind of engagement between different operations in the same space.
“These various groups may be sourcing expertise from a common talent pool, or working within an information-sharing framework to exchange tools and insights on effective strategies. That's a possibility,” Singh said.
“Additionally, we cannot ignore the possibility that intermediaries are involved that provide specialized services similar to the ransomware-as-a-service model. However, it is clear that the space is growing and these attacks are It shows a level of success.”
