Researchers at WithSecure have discovered Vietnam-based cybercrime operation Ducktail hijacking Facebook Business accounts and running their own ads on the victim’s dime, causing losses of more than $600,000 in advertising credits.
The latest campaign involves the threat actor reaching out to potential victims using WhatsApp and luring them into downloading and executing malicious payloads to either steal sensitive information or access Facebook Business accounts logged in on their devices. Telegram was also used in this latest campaign, with multiple administrator accounts indicating the attackers may be running an affiliate program.
This isn’t the first time Ducktail has been found hijacking Facebook Business accounts for their gain either. Previous campaigns involved the threat actor delivering info-stealing malware through LinkedIn to individuals with high-level access to the aforementioned accounts. WithSecure reports that the malware as well as the group’s tactics, were adapted to be relevant to the victims and avoid detection.
A unique feature of Ducktail’s malware is the ability to hijack Facebook Business accounts associated with the victim’s Facebook account and then attempt to give the threat actor’s email address access to the business account with the highest privilege possible.
Once executed on the target system, the malware steals any stored cookies it can find across multiple browsers, including Chrome, Edge, Brave and Firefox. Since these cookies include Facebook session cookies, they give the attacker access to access tokens and MFA codes as well as user agents and IP addresses — essentially all the information needed to impersonate the victim from another machine.
The operation has also evolved to a new variant that uses the .NET7 Native AOT feature allows for binary compilation without the .NET runtime installed on the target machine. The attacker’s email addresses are no longer hardcoded in the source code but are delivered from Telegram bots acting as C2 servers.
To make detection difficult, the threat actors also signed their binaries (payloads) with extended validation certificates, a tactic in use since mid-2021. Finally, the extracted data is encrypted using the AES-128 algorithm, with the decryption key protected by asymmetric encryption.
The aforementioned certificates were purchased through as many as seven non-operational Vietnamese businesses. Six of these have been associated with Ducktail with medium confidence so far. The researchers also noticed multiple malware samples submitted to VirusTotal from Vietnam between October 5-10, which have been attributed to the operation with high confidence.