New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts

Cyber Security

Products You May Like

A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler.

“Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.,” Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said.

CyberSecurity

Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts.

The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022.

Hacking Facebook Business Accounts

While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP variant spotted in August 2022 establishes connections to a newly hosted website to store the data in JSON format.

Attack chains observed by Zscaler entail embedding the malware in ZIP archive files hosted on file-sharing services like mediafire[.]com, masquerading as cracked versions of Microsoft Office, games, and porn-related files.

CyberSecurity

Execution of the installer, in turn, activates a PHP script that ultimately launches the code responsible for stealing and exfiltrating data from web browsers, cryptocurrency wallets, and Facebook Business accounts.

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large,” the researchers said.

Products You May Like

Articles You May Like

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit
NCLT Approves Merger of Viacom 18, Star India After CCI Nod
Breaking Down AD CS Vulnerabilities: Insights for InfoSec Professionals
New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads
iPhone 16 Pro Max Leaked Dummy Unit Offers Glimpse at New Desert Titanium Colourway

Leave a Reply

Your email address will not be published. Required fields are marked *