Ducktail Infostealer Casts Its Fowl Malware Campaign At Facebook Users
According to Zscaler, the threat actor behind the Ducktail Infostealer recently revamped the malware to expand its scope. The new version of the malware is written in PHP and targets users with any level of access to Facebook Business accounts. This malicious software masquerades as an application installer for Microsoft Office, various games, and more which are available for download on legitimate file hosting websites, such as MediaFire.
After first reaching out to the threat actor’s command-and-control (C2) server to receive instructions, the Ducktail Infostealer attempts to pilfer a wide range of information from Facebook Business accounts, including financial and payment information. If the malware successfully nabs any information, it sends this info back to the C2 server for the threat actor to use for further malicious ends.
Unlike ransomware, stealer malware usually isn't instrumental to an extortion scheme where threat actors demand a ransom payment in exchange for not publishing exfiltrated data to the web. However, stealer malware shouldn't be taken any less seriously than ransomware. The lack of a ransom request can mean that victims of stealer malware never realize any of their information was stolen until its already been used to commit identity fraud or redirect victims' funds to accounts controlled by threat across. Users should be hesitant to download applications or third party installers from unfamiliar sources, as threat actors often distribute malware packaged with such software.