Ducktail Infostealer Casts Its Fowl Malware Campaign At Facebook Users

ducktail infostealer malware campaign facebook news
Researchers at the cybersecurity company Zscaler have discovered a new version of the Ducktail Infostealer in a malware campaign seeking to steal Facebook Business account credentials. Cybersecurity researchers first identified the Ducktail Infostealer in 2021, attributing the bit of malware to a Vietnamese threat actor. The earlier version of this malware was built on .NET Core and targeted specifically higher-level employees with Admin and Finance access to their companies’ Facebook Business accounts.

According to Zscaler, the threat actor behind the Ducktail Infostealer recently revamped the malware to expand its scope. The new version of the malware is written in PHP and targets users with any level of access to Facebook Business accounts. This malicious software masquerades as an application installer for Microsoft Office, various games, and more which are available for download on legitimate file hosting websites, such as MediaFire.

malware code snippet targetting facebook business news
Malware code snippet targeting Facebook Business accounts (click to enlarge) (source: Zscaler)

Users who run this malicious installer will be met by a window that reads, “Checking Application Compatibility.” However, unknown to the user, the malware works in the background to establish persistence on the victim’s system, then executes stealer code designed to find and swipe Facebook Business account credentials and information stored in the victim’s browser. This code is encrypted in order to avoid detection, then decrypted in memory when executed.

After first reaching out to the threat actor’s command-and-control (C2) server to receive instructions, the Ducktail Infostealer attempts to pilfer a wide range of information from Facebook Business accounts, including financial and payment information. If the malware successfully nabs any information, it sends this info back to the C2 server for the threat actor to use for further malicious ends.

Unlike ransomware, stealer malware usually isn't instrumental to an extortion scheme where threat actors demand a ransom payment in exchange for not publishing exfiltrated data to the web. However, stealer malware shouldn't be taken any less seriously than ransomware. The lack of a ransom request can mean that victims of stealer malware never realize any of their information was stolen until its already been used to commit identity fraud or redirect victims' funds to accounts controlled by threat across. Users should be hesitant to download applications or third party installers from unfamiliar sources, as threat actors often distribute malware packaged with such software.