Malware that steals Facebook accounts

How attackers use infected archives and malicious browser extensions to steal Facebook Business accounts.

How Ducktail steals Facebook accounts

Our researchers have discovered a new version of malware from the Ducktail family. Cybercriminals are using it to target company employees who either hold fairly senior positions or work in HR, digital marketing, or social-media marketing. Their ultimate goal is to hijack Facebook Business accounts, so it makes sense that the attackers are interested in folks most likely to have access to them. Today, we talk about how attacks occur, what’s unusual about them and, of course, how to protect yourself.

Bait and malicious payload

What the cybercriminals behind Ducktail do is send out malicious archive to their potential victims. To lull the recipient’s vigilance, the archives contain bait in the form of theme-based images and video files on a common topic. For example, the theme of the most recent campaign (March to early October 2023) was fashion: emails were sent out in the name of big fashion industry players with archives containing photos of items of clothing.

However, inside these archives were also executable files. These files had PDF icons and very long file names to divert the victim’s attention from the EXE extension. Additionally, the names of the fake files appeared to be carefully chosen for relevance so as to persuade the recipients to click on them. In the fashion-themed campaign, the names referred to “guidelines and requirements for candidates”, but other bait like, say, price lists or commercial offers, can be used as well.

Contents of a malicious Ducktail archive

The malicious Ducktail archive contains a file that looks like a PDF but is in fact an EXE

After clicking the disguised EXE file, a malicious script runs on the target device. Firstly, it does indeed display the contents of some PDF file embedded in the malware code, with the hope that the victim doesn’t smell a rat. At the same time, the malware scans all the shortcuts on the desktop, the Start menu, and the Quick Launch toolbar. It searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, Brave… Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file. Five minutes later, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts.

Malicious browser extension

After the user clicks the shortcut, a malicious extension is installed in the browser, where it convincingly masquerades as Google Docs Offline, using the exact same icon and description (though only in English, which can give away the fake in some regions).

Malicious browser extension

The malicious extension masquerading as Google Docs Offline (left), and the real Google Docs Offline extension (right) in the Google Chrome browser

Once installed and running, the malicious extension starts constantly monitoring all tabs opened by the user in the browser and sending information about them to the attackers’ C2 server. If it finds an address associated with Facebook among the opened tabs, the malicious extension checks for Ads and Business accounts and then hijacks them.

The extension steals information from Facebook accounts logged into on the victim’s device, as well as active session cookies stored by the browser, which can be used to sign in to the accounts without authentication.

The group behind the malware has reportedly been active since 2018. Several research teams believe it has Vietnamese origin. The group’s distribution of Ducktail can be pinpointed to 2021.

How to guard against Ducktail

To protect against Ducktail and similar threats, employees need to simply observe basic digital hygiene; in particular:

  • Never download suspicious archives on work computers — especially if the links come from untrusted sources.
  • Carefully check the extensions of all files downloaded from the internet or email before opening them.
  • Never click on a file that looks like a harmless document but has an EXE extension — this is a clear sign of malware.
  • Always install reliable protection on all work devices.This will warn you of potential danger and defeat any attacks in time. Our solutions detect this threat with the verdict HEUR:Trojan.Win64.Ducktail.gen.
  • You can find indicators of compromise as well as more technical details on this malware in the respective Securelist blog post.