A new phishing campaign codenamed ‘Ducktail’ is underway, targeting professionals on LinkedIn to take over Facebook business accounts that manage advertising for the company.
The operators of Ducktail have a narrow targeting scope and select their victims carefully, trying to find people who have admin privileges on their employer’s social media accounts.
The discovery of this campaign comes from researchers at WithSecure, who have been tracking what they believe to be a Vietnamese threat actor since 2021, and collected evidence of activity dating going back to 2018.
This means that Ducktail has been underway for at least a year and might have been active for almost four years now.
Stealing Facebook accounts
The threat actor reaches out to employees on LinkedIn who could have Facebook business account access, for example, people listed as working in “digital media” and “digital marketing” as their roles.
As part of the conversations with a potential target, the threat actors use social engineering and deception to convince them to download a file hosted on a legitimate cloud hosting service like Dropbox or iCloud.
The downloaded archive contains JPEG image files relevant to the discussion between the scammer and the employee but also includes an executable made to appear like a PDF document.
This file is actually a .NET Core malware that contains all the required dependencies, allowing it to run on any computer, even those without the .NET runtime installed.
When executed, the malware scans for browser cookies on Chrome, Edge, Brave, and Firefox, collects system information, and eventually targets Facebook credentials.
“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” explains WithSecure in the report.
The requests to Facebook’s endpoints appear authentic as they originate from the victim’s browser using a valid session cookie.
The malware crawls various Facebook pages to capture multiple access tokens and uses them for unobstructed endpoint interaction at later stages.
The stolen information includes the cookies, IP address, account information (name, email, birthday, user ID), 2FA codes, and geolocation data, essentially allowing the threat actor to continue this access from their machine.
Business-specific details stolen from the compromised account include the verification status, advertising limit, users list, client list, ID, currency, payment cycle, the amount spent, and the adtrust DSL (dynamic spend limit).
The data is eventually exfiltrated through Telegram bots and takes place between set periods, or when Facebook accounts are stolen, the malware process exits, or when the malware crashes.
Hijacking the Facebook account
Not only does the malware steal information from victims’ Facebook accounts, but they also hijack them by adding the threat actor’s email address to the compromised Facebook Business account. When adding the user, they add permissions allowing the threat actors full access to the account.
The threat actors then leverage their new privileges to replace the set financial details so that they could direct payments to their accounts or run Facebook Ad campaigns with money from the victimized firms.
WithSecure believes that the motive of the Ducktail operators is financial, going for easy profits in an environment where it would take some time to discover the fraud and stop it.
Notably, we saw a similarly sophisticated automated account stealing and session token verification approach from an information-stealer named FFDroider in April 2022.