DuckTail is a campaign that involves multiple actors based in Vietnam and using the same TTPs.
The attackers are primarily targeting users in the digital marketing and advertising industry, targeting Facebook and TikTok business accounts, as well as Google advertising accounts.
Attackers attack advertising accounts to gain access to advertising budgets. The stolen accounts are subsequently sold in specialized Telegram groups. Prices range from $15 for a low-grade account to $340 for a high-end account.
DuckTail's primary vector for distribution continues to be social engineering through LinkedIn messaging.
Attackers create fake LinkedIn recruiter profiles and job postings posing as popular companies to lure unsuspecting victims. At the same time, they use Google Translate to communicate with potential victims.
The DuckTail malware steals stored session cookies from browsers using code specifically designed to take over Facebook business accounts.
Most often, the DuckTail malicious payload is a .NET executable file. However, some Ducktail payloads come in the form of an Excel add-in or browser extension.
The executable file is usually supplied in an archive along with image and video files. Malicious archives are often hosted on public cloud hosting services such as iCloud, Google Drive, Dropbox, Transfer.sh and OneDrive.
In some cases, attackers use Trello, a project management platform, as cloud hosting, uploading archives as attachments to Trello cards and providing victims with a direct download link to the card.
Another widely abused platform is Rebrandly, a URL shortening service that they use to distribute download links.
Another infection method is by creating web pages that claim to offer marketing guides and marketing software, but actually deliver DuckTail malware.
Notably, DuckTail attackers have successfully used ChatGPT and Google Bard AI as a tool to lure victims into installing malware.
Attackers use Telegram, Facebook and Zalo to transmit and exchange stolen information. The attackers also have bots in their carts to automatically process data coming from new victims.
DuckTail attackers use private proxies to log into compromised accounts, and also abuse Facebook's "encrypted notifications" feature to prevent victims from recovering their account.
And, as researchers found out, OPSEC is not practiced at all: attackers do not care if their original IP gets into the user interface of the S5 Proxy service, not to mention other flaws.
The attackers are primarily targeting users in the digital marketing and advertising industry, targeting Facebook and TikTok business accounts, as well as Google advertising accounts.
Attackers attack advertising accounts to gain access to advertising budgets. The stolen accounts are subsequently sold in specialized Telegram groups. Prices range from $15 for a low-grade account to $340 for a high-end account.
DuckTail's primary vector for distribution continues to be social engineering through LinkedIn messaging.
Attackers create fake LinkedIn recruiter profiles and job postings posing as popular companies to lure unsuspecting victims. At the same time, they use Google Translate to communicate with potential victims.
The DuckTail malware steals stored session cookies from browsers using code specifically designed to take over Facebook business accounts.
Most often, the DuckTail malicious payload is a .NET executable file. However, some Ducktail payloads come in the form of an Excel add-in or browser extension.
The executable file is usually supplied in an archive along with image and video files. Malicious archives are often hosted on public cloud hosting services such as iCloud, Google Drive, Dropbox, Transfer.sh and OneDrive.
In some cases, attackers use Trello, a project management platform, as cloud hosting, uploading archives as attachments to Trello cards and providing victims with a direct download link to the card.
Another widely abused platform is Rebrandly, a URL shortening service that they use to distribute download links.
Another infection method is by creating web pages that claim to offer marketing guides and marketing software, but actually deliver DuckTail malware.
Notably, DuckTail attackers have successfully used ChatGPT and Google Bard AI as a tool to lure victims into installing malware.
Attackers use Telegram, Facebook and Zalo to transmit and exchange stolen information. The attackers also have bots in their carts to automatically process data coming from new victims.
DuckTail attackers use private proxies to log into compromised accounts, and also abuse Facebook's "encrypted notifications" feature to prevent victims from recovering their account.
And, as researchers found out, OPSEC is not practiced at all: attackers do not care if their original IP gets into the user interface of the S5 Proxy service, not to mention other flaws.
