There have been some developments in the Ducktail phishing campaign. To begin our report, it seems reasonable to go over a little bit of history on Ducktail for those who might be unfamiliar. The Ducktail phishing campaign was first discovered and reported on in late July of 2022. Researchers at the firm WithSecure are credited with the discovery of the campaign. In terms of who is responsible, WithSecure’s report on this campaign indicated a high level of confidence in their belief that the threat actors responsible for this campaign were in Vietnam. Further, WithSecure’s evidence suggests that malware linked to the Ducktail operation has been distributed since the second half of 2021. They had also suggested that the threat actor could have been active since 2018.
Then, as one might expect of a campaign of this nature, the motives behind the threat actor’s actions appear to be financially driven. This campaign was also noted for appearing to select targets in a more curated manner and in smaller numbers. The theory behind their target selection is that it might increase the chances of success and help to remain unnoticed. Of course, one of the recent changes to this campaign that we’ll be discussing shortly relates is targeting.
Getting into who exactly this campaign has been targeting, it is clear that the main focus was on Facebook business accounts. Specifically, Ducktail attempted to target individuals who may have high-level access to Facebook Business accounts, such as those in management roles, marketing and/or digital media roles, or people in human resources roles. Targets appear to have been primarily found on LinkedIn. Threat actors could simply reach out to people who meet the specific requirements and attempt to use social engineering techniques to deliver a malware payload from a service like iCloud or Dropbox. Even though the campaign appeared to be more targeted on an individual basis, there is no indication that specific regions or countries were targeted. Telemetry data from WithSecure shows Ducktail activity in North America, Europe, and Asia.
The overall flow of the process can be seen in this image from WithSecure below. Once the package is downloaded, the malware, if executed, can proceed with an info stealing procedure and exfiltrate the victim’s data. If Facebook session information is found, the malware will also attempt to access the account and add an additional email for administrative purposes. With all of that said, it is worth noting here that reports indicate that newer instances of Ducktail appear to be targeting the public at large rather than specifically targeting people that might have access to a Facebook Business account.
Figure 1. Original flow of Ducktail (source: WithSecure)
The large change to Ducktail’s process is that it is now spreading malware written in PHP. Previously, the malware associated with Ducktail was written in .NET Core, which itself was a change from the malware being written in the traditional .NET framework. As one might expect, the change from the .NET framework to .NET Core provided several advantages. Most notably, .NET Core would allow for a self-contained binary that is not reliant on the .NET framework being installed on the target machine. Further, it allowed for the malware to be distributed as a single file and potentially take advantage of a lower detection rate over the .NET framework.
If a user downloads and installs the lure package sent to them, the malware will be installed to a directory in the user’s AppData folder. The collective malware package will include a local PHP interpreter, scripts for stealing formation, and a collection of support libraries. In terms of persistence, the malware will be set via Scheduled Tasks to run daily.
The code of the info stealer exists on disk as a Base64 encoded PHP file. The script is executed from a batch file and decoded completely in memory so none of the actual code is on disk to avoid detection. Upon installation, a parallel process is executed, at which point, several things are occurring. A script makes a call to the Task Scheduler, ensuring that the collection process can be re-run, and another script will begin the collections process. The updated flow for Ducktail’s process can be seen below graphic from Zscaler.
Figure 2. Update flow of the Ducktail process (source: Zscaler)
First, the script will attempt to determine information about the browsers on the machine. Then, it will seek to collect information from the cookies on the machine and focus on finding Facebook and crypto accounts. If a Facebook account is found and is determined to be business related, much like with the previous campaign, the script will attempt to infer additional information about the account, such as payment methods, cycles, amounts spent, owner details, verification, PayPal information, etc. Once data is examined and collected, it is then sent to a command-and-control server.
In summary, Ducktail was a phishing scam that was first reported on in July 2022. The threat actors behind the campaign, who may have been active in the cybercriminal space since 2018, are said to be in Vietnam. In terms of targeting, the initial campaign sought to exploit Facebook Business accounts by manipulating LinkedIn users with appropriate profile requirements into downloading specific malware. Recently, Ducktail’s requirements seem to have changed in the sense that instead of only targeting users with Facebook Business accounts, they are happy to exfiltrate data from a wider scope of Facebook users. In addition to the apparent change in targeting scope, there have also been changes to the underlying malware distributed by the campaign. Instead of an executable written in .NET core, we now see that Ducktail is now distributing malware written in PHP. The scripts involved are stored on disk in encoded form and are decrypted completely in memory to avoid detection. The overall flow for this malware is determining browser information on the machine, pulling stored cookies to look for Facebook or crypto accounts, and send collected data to remote command-and-control servers.
[3]: https://www.f-secure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments