DUCKTAIL malware campaign targeting Facebook business and advertising accounts is back

A suspected Vietnam-based group of attackers specializing in targeting employees with potential access to Facebook business and ad management accounts has reemerged with changes to its infrastructure, malware, and modus operandi after first being outed a few months ago .

The group, dubbed DUCKTAIL by researchers at WithSecure, uses spear phishing to target people on LinkedIn who have job descriptions that might indicate they have access to Facebook business account management. More recently, the attackers have also been observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for the financial benefit of the attackers.

DUCKTAIL attackers conduct their investigation

Account abuse occurs through a victim’s browser by a malware program delivered under the guise of brand, product, and project planning documents. The attackers first create a list of companies that have business pages on Facebook. They then search LinkedIn and other sources for employees who work for those companies and have job titles that could get them access to those company pages. This includes management, digital marketing, digital media and human resources functions.

The final step is to send them a link with an archive containing the malware disguised as a PDF, along with images and videos that appear to be part of the same project. Some of the filenames the researchers saw include Project “Development Plan”, “Project Information”, “Products” and “New Project L’Oréal Budget Business Plan”. Some of the files contained country names, suggesting the attackers customize them for each victim and country based on their intelligence. The identified victims were spread all over the world, so the attackers are not targeting a specific region.

DUCKTAIL Group is believed to have been running this campaign since the second half of 2021. After WithSecure uncovered their operation in August of this year, the operation was shut down and the attackers overhauled some of their tools.

Attackers switch to GlobalSign as a certificate authority

Malware samples analyzed earlier this year were digitally signed using a legitimate code signing certificate obtained by Sectigo on behalf of a Vietnamese company. Because this certificate was reported and revoked, the attackers switched to GlobalSign as their certificate authority. While they continued to request certificates from multiple CAs on behalf of the original company, they also created six other companies, all in Vietnamese, and received code signing certificates with three of them. Code Signing Certificates require Extended Validation (EV), which involves verifying the identity of the applicant through various documents.

Copyright © 2022 IDG Communications, Inc.


Leave a Reply

Your email address will not be published. Required fields are marked *