WithSecure has discovered an ongoing malware operation, dubbed “DUCKTAIL,” which targets individuals and organizations operating on Facebook’s Ads and Business platform, the company reported on July 26.
WithSecure says, with “high confidence,” that the operation is the work of a Vietnamese threat actor. The chain of evidence suggests that it’s motives are financially driven.
DUCKTAIL’s operations utilize an infostealer malware component that includes functionality specifically designed to hijack Facebook Business accounts, WithSecure stated. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account to which the victim has sufficient access.
LinkedIn Also Targeted
WithSecure reports that DUCKTAIL is scouting for and phishing its targets via LinkedIn, where it selects users likely to have high-level access to a Facebook Business account, especially those with admin privileges.
As Mohammad Kazem Hassan Nejad, researcher for WithSecure™ Intelligence, explained:
“We believe that the DUCKTAIL operators carefully select a small number of targets to increase their chances of success and remain unnoticed. We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted.”
DUCKTAIL was initially discovered as an unknown malware earlier this year, as WithSecure reports that it started tracking and analyzing the operation and found that the threat actor had been developing and distributing the malware since the second half of 2021. The DUCKTAIL operation, WithSecure adds, has since continued to update and push out the malware in an attempt to improve its ability to bypass existing or new Facebook security features alongside other implemented features.
Partnering with MSPs and MSSPs
WithSecure, which offers partner programs for MSPs and MSSPs, notes that it has detections in place for endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions. These include static and behavioral detection signatures and detections for multiple stages of the attack lifecycle, according to WithSecure.
Hassan Nejad advises that vigilance and alertness are key to avoiding becoming a victim to DUCKTAIL:
“Many spear phishing campaigns target users on LinkedIn. If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”