A group of attackers, likely based in Vietnam, that specializes in targeting employees with potential access to Facebook business and ads management accounts, has re-emerged with changes to its infrastructure, malware, and modus operandi after being initially outed a few months ago.
Dubbed DUCKTAIL by researchers from WithSecure, the group uses spear phishing to target individuals on LinkedIn who have job descriptions that could suggest they have access to manage Facebook business accounts. More recently, the attackers were also observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for attackers’ financial gain.
DUCKTAIL attackers do their research
The account abuse is achieved using a victim’s browser through a malware program delivered under the guise of documents related to brands, products, and project planning. The attackers first build a list of companies that have business pages on Facebook. They then search for employees on LinkedIn and other sources who work for those companies and have job titles that could provide them with access to those business pages. These include managerial, digital marketing, digital media, and human resource roles.
The final step is to send a link to them with an archive that contains the malware masquerading as a .pdf, alongside images and videos that appear to be part of the same project. Some of the file names seen by the researchers include project “development plan,” “project information,” “products,” and “new project L’Oréal budget business plan.” Some of the files included country names, suggesting the attackers customize them for every victim and country based on their reconnaissance. The identified victims were spread around the world, so the attackers don’t target one particular region.
It’s believed the DUCKTAIL group has been operating this campaign since the second half of 2021. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset.
Attackers switch to GlobalSign as certificate authority
Malware samples analyzed earlier this year were digitally signed with a legitimate code signing certificate obtained from Sectigo in the name of a Vietnamese company. Since that certificate has been reported and revoked, the attackers have switched to GlobalSign as their certificate authority. While they continued to request certificates from multiple CAs in the name of the original company, they’ve also set up six other businesses, all in Vietnamese, and have obtained code signing certificates using three of them. Code signing certificates require extended validation (EV) where the identity of the applicant is verified through various documents.
“At the time of writing, the threat actor has adapted to certificate revocations by utilizing timestamping as a countersignature method through DigiCert,” the WithSecure researchers said in a new report released this week.
The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the framework’s single-file feature, which bundles all the required libraries and files into a single executable file, including the main assembly. This ensures the malware can be executed on any Windows computer regardless of whether it has the .NET runtime installed or not. Since August 2022, when the campaign halted, the WithSecure researchers observed multiple development DUCKTAIL samples uploaded to VirusTotal from Vietnam.
One of the samples was compiled using the NativeAOT of .NET 7, which provides similar capabilities as the single-file feature of .NET Core, allowing binaries to be compiled natively ahead of time. However, NativeAOT has limited support for third-party libraries, so the attackers reverted to .NET Core.
The bad actors have been experimenting
Other experimentation was observed as well, such as the inclusion of anti-analysis code from a GitHub project that was never actually turned on, the capability of sending a list of email addresses as a .txt file from the command-and-control server instead of hardcoding them in the malware, and launching a dummy file when the malware is executed in order to make the user less suspicious – document (.docx), spreadsheet (.xlsx) and video (.mp4) dummy files were observed.
The attackers are also testing multistage loaders to deploy malware, such as an Excel add-in file (.xll), which extracts a secondary loader from an encrypted blob and then finally downloads the infostealer malware. The researchers also identified a downloader written in .NET that they associate with high confidence to DUCKTAIL, which executes a PowerShell command that downloads the infostealer from Discord.
The infostealer malware uses Telegram channels for command and control. The attackers have better locked down these channels since they were outed in August and some channels now have multiple administrators, which could suggest they are running an affiliate program similar to ransomware gangs. “This is further strengthened by increased chat activity and the new file encryption mechanism that ensures only certain users will be able to decrypt certain exfiltrated files,” the researchers say.
Once deployed, the DUCKTAIL malware scans for browsers installed on the system and the path to their cookie storage. It then steals all the stored cookies, including any Facebook session cookie stored inside. A session cookie is a small identifier set by a website inside a browser after authentication is completed successfully to remember the user has been logged in for a period of time.
The malware uses the Facebook session cookie to interact with Facebook pages directly or to send requests to the Facebook Graph API to obtain information. This information includes name, email, birthday, and user ID for personal accounts; name, verification status, ad limit, pending users and clients from Facebook business pages to which the personal accounts have access; name, ID, account status, ads payment cycle, currency, adtrust DSL, and amount spent for any associated Facebook Ads accounts.
The malware also checks whether two-factor authentication is enabled for the hijacked accounts and uses the active session to obtain backup codes for the 2FA when enabled. “Information stolen from the victim’s machine also allows the threat actor to attempt these activities (as well as other malicious activities) from outside the victim’s machine,” the researchers said. “Information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information (such as name and birthday) could be used to cloak and impersonate the victim.”
The malware aims to attempt to add email addresses controlled by attackers to the hijacked Facebook business accounts with the highest possible roles: admin and finance editor. According to Facebook owner Meta’s documentation, admins have full control over the account, while finance editors have control over credit card information stored in the account as well as transactions, invoices, and spending on the account. They can also add external businesses to stored credit cards and monthly invoices allowing those businesses to use the same payment method.
Impersonating legitimate account manager identities
“In instances where the targeted victims did not have sufficient access to allow the malware to add the threat actor’s email addresses into the intended business accounts, the threat actor relied on the information that was exfiltrated from the victims’ machines and Facebook accounts to impersonate them and achieve their post-compromise objectives via hands-on activity,” the researchers said in their new report.
In one instance that WithSecure incident responders investigated, the victim used an Apple machine and had never logged into Facebook from a Windows computer. No malware was found on the system and the initial access vector could not be determined. It’s unclear if this was related to DUCKTAIL, but the researchers established that the attackers were also from Vietnam.
Facebook Business administrators are advised to regularly review users added under Business Manager > Settings > People and revoke access to any unknown users granted admin access or finance editor roles.
“Across our investigations, WithSecure Incident Response team found that business history logs and targeted individuals’ Facebook data were relevant to analysis of the incident,” the researchers said. “However, for logs relating to the individual’s Facebook account, inconsistencies are widely present between what is visible on the web portal compared to what you would get if you were to download a copy of your data. As a recommendation to other investigators, the WithSecure Incident Response team strongly recommends capturing a local copy of business history logs as soon as possible and requesting a copy of user data for their account.”