DUCKTAIL Malware

Cybercriminals are using a specially crafted malware threat tracked as the DUCKTAIL Malware to compromise and collect the Facebook Business accounts of their victims. The threat is believed to be part of the threatening arsenal of a Vietnamese hacker group and, according to a report by the researchers at WithSecure Intelligence, it is likely to have been used in attack operations since 2021.

It should be pointed out that the attacks involving DUCKTAIL have been highly focused, with the chosen target being high-ranking individuals or persons of interest. By compromising the chosen targets, the attackers can gain access and assume control over a specific Facebook business page. Experts point out that DUCKTAIL is continuing to evolve with the hackers adding new abilities and methods for avoiding Facebook's security.

Once it has been executed on the victim's machine, DUCKTAIL starts by checking for the presence of specific Web browsers - Chrome, Firefox, Edge and Brave. Next, the threat will attempt to identify the necessary cookie paths and extract any related to Facebook. The threat probes if 2FA (two-factor authentication) is active and will try to acquire the recovery codes if necessary. Apart from cookies, DUCKTAIL also can extract user agents, geolocations, the 2FA codes, tokens and more.

Once it has compromised a relevant Facebook account, the threat will harvest all data kinds, including names, connected account numbers, ad spending, payment cycles, ad account permissions, pending users, the owners, member roles, client data, linked emails, verification statuses and more. Victims of DUCKTAIL can experience critical privacy issues, financial losses and fraud.