An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns.
According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018.
Modus operandi
The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing."
Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.
Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials.
“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained.
The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin.
After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes.
The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.