{"id":22084,"date":"2023-11-22T15:07:54","date_gmt":"2023-11-22T20:07:54","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ducktail-steals-facebook-business-accounts\/22084\/"},"modified":"2023-11-24T15:37:16","modified_gmt":"2023-11-24T11:37:16","slug":"ducktail-steals-facebook-business-accounts","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ducktail-steals-facebook-business-accounts\/22084\/","title":{"rendered":"Malware that steals Facebook accounts"},"content":{"rendered":"

Our researchers have discovered<\/a> a new version of malware from the Ducktail family. Cybercriminals are using it to target company employees who either hold fairly senior positions or work in HR, digital marketing, or social-media marketing. Their ultimate goal is to hijack Facebook Business accounts, so it makes sense that the attackers are interested in folks most likely to have access to them. Today, we talk about how attacks occur, what\u2019s unusual about them and, of course, how to protect yourself.<\/p>\n

Bait and malicious payload<\/h2>\n

\nWhat the cybercriminals behind Ducktail do is send out malicious archive to their potential victims. To lull the recipient\u2019s vigilance, the archives contain bait in the form of theme-based images and video files on a common topic. For example, the theme of the most recent campaign (March to early October 2023) was fashion: emails were sent out in the name of big fashion industry players with archives containing photos of items of clothing.<\/p>\n

However, inside these archives were also executable files. These files had PDF icons and very long file names to divert the victim\u2019s attention from the EXE extension. Additionally, the names of the fake files appeared to be carefully chosen for relevance so as to persuade the recipients to click on them. In the fashion-themed campaign, the names referred to \u201cguidelines and requirements for candidates\u201d, but other bait like, say, price lists or commercial offers, can be used as well.<\/p>\n

\"Contents<\/a>

The malicious Ducktail archive contains a file that looks like a PDF but is in fact an EXE<\/p><\/div>\n

After clicking the disguised EXE file, a malicious script runs on the target device. Firstly, it does indeed display the contents of some PDF file embedded in the malware code, with the hope that the victim doesn\u2019t smell a rat. At the same time, the malware scans all the shortcuts on the desktop, the Start menu, and the Quick Launch toolbar. It searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, Brave\u2026 Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file. Five minutes later, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts.<\/p>\n

Malicious browser extension<\/h2>\n

\nAfter the user clicks the shortcut, a malicious extension is installed in the browser, where it convincingly masquerades as Google Docs Offline, using the exact same icon and description (though only in English, which can give away the fake in some regions).<\/p>\n

\"Malicious<\/a>

The malicious extension masquerading as Google Docs Offline (left), and the real Google Docs Offline extension (right) in the Google Chrome browser<\/p><\/div>\n

Once installed and running, the malicious extension starts constantly monitoring all tabs opened by the user in the browser and sending information about them to the attackers\u2019 C2 server. If it finds an address associated with Facebook among the opened tabs, the malicious extension checks for Ads and Business accounts and then hijacks them.<\/p>\n

The extension steals information from Facebook accounts logged into on the victim\u2019s device, as well as active session cookies stored by the browser, which can be used to sign in to the accounts without authentication.<\/p>\n

The group behind the malware has reportedly<\/a> been active since 2018. Several<\/a> research teams believe it has Vietnamese origin. The group\u2019s distribution of Ducktail can be pinpointed to 2021.<\/p>\n

How to guard against Ducktail<\/h2>\n

\nTo protect against Ducktail and similar threats, employees need to simply observe basic digital hygiene; in particular:<\/p>\n