Ducktail is targeting marketing professionals in the fashion industry with its latest campaign, where the threat actors send out archives containing images of authentic products from well-known companies alongside a malicious executable camouflaged as a PDF file.
According to a report from Kaspersky, upon execution, the malware opens a genuine embedded PDF, detailing job information, with the attack crafted to appeal to marketing professionals actively seeking career changes.
The malware’s objective is to install a browser extension adept at pilfering Facebook business and ads accounts, with the likely intent of selling the stolen credentials.
The report noted this strategic shift indicates an evolving sophistication in Ducktail’s attack techniques, tailored to exploit specific professional demographics.
Inside the Ducktail Malware Infection Routine
When the victim opens the malicious file, it saves a PowerShell script (param.ps1) and a fake PDF file to the device’s public directory.
The script, triggered by the default PDF viewer, opens the fake PDF, pauses, and then shuts down the Chrome browser.
Simultaneously, the attack saves deceptive browser extension files to a Google Chrome directory, disguising itself as a Google Docs Offline extension. The malware can alter its path for hosting the extension.
The obscured core script consistently sends details of open browser tabs to a command-and-control (C2) server.
If Facebook-related URLs are detected, the extension attempts to steal ads and business accounts, extracting cookies and account details.
To bypass two-factor authentication (2FA), the extension uses Facebook API requests and the 2fa[.]live service from Vietnam. Stolen credentials are sent to a C2 based in Vietnam.
In this campaign, an additional script (jquery-3.3.1.min.js) is saved to the extension folder, which is a corrupted version of a core script from previous attacks.
The threat actors have taken a new approach by leveraging Delphi as its programming language, departing from their usual .NET application approach.
How to Protect Against Ducktail Cyberattacks
The Ducktail malware campaign’s use of the Delphi programming language creates detection challenges for security teams, as the language’s uncommon signature-based antivirus protections may miss this threat.
“To improve monitoring, organizations should employ more behavior-based analytics and heuristic monitoring to identify anomalies indicative of malicious activity,” explains Amelia Buck, threat intelligence analyst at Menlo Security.
She says marketing teams in particular should be trained to spot social engineering, given tailored attacks intended to mislead them.
“Regarding social engineering tactics, the legitimate-looking image files of products from well-known fashion brands build trust before delivering the infected PDFs,” Buck notes.
She points out training should advise staff to be skeptical of unsolicited files from outside senders, avoid enabling macros, and verify unexpected attachments through internal confirmation before opening.
“Caution should be taken even with work-relevant content, as relevance builds credibility for deception,” she explains. “Employees should also inspect sender addresses for spoofing rather than assume the site is legit.”
She adds that the browser extension component also warrants safeguards, recommending that all staff enable multifactor authentication for social media and other accounts containing sensitive information.
“This however should not be relied upon,” she explains. “They should also refrain from entering credentials into third-party extensions, watch for unapproved browser extension installs, and avoid using work credentials for personal browsing.”
Providing a password manager would also strengthens account security against password reuse across compromised accounts.
Ducktail’s Persistent Threat
Ducktail has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries.
The Vietnam-based financial cybercrime operation behind Ducktail has consistently demonstrated adaptability in its attack strategies.
In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp to target users.
Cybersecurity researchers recently uncovered a connection between the notorious DarkGate remote access Trojan (RAT) and Ducktail, determined from nontechnical markers such as lure files, targeting patterns, and delivery methods.