The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022. Cookie information is saved to c.txt and then sent to C&C. Code signing certificates have been acquired via businesses registered in Vietnam, with seven such firms identified to date. Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts. "The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation," Nejad says. Users who fall for the lure end up having Ducktail's information stealer installed on their system. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. A minimum of 3 characters are required to be typed in the search bar in order to perform a search. New 'Quantum-Resistant' Encryption Algorithms. Zscalers ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across. In July 2022. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer said in a report. Now, the threat actors have switched to a scripting version whereby the main stealer code is a PHP script and not a .Net binary. Read more about the WithSecure MSP partner program. WithSecure cyber security experts assess the cyber risks your organisation faces and develop cyber security solutions that align with your business goals. WithSecure (previously F-Secure) is the strategic partner for businesses that want measurable cyber security outcomes through customised tools & solutions. It uses the CURL command for receiving and sending the files over HTTP. See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk, Secure work from anywhere, protect data, and deliver the best experience possible for users, Its time to protect your ServiceNow data better and respond to security incidents quicker, Protect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives, Zscaler: A Leader in the Gartner Magic Quadrant for Security Service Edge (SSE) New Positioned Highest in the Ability toExecute, Dive into the latest security research and best practices, Join a recognized leader in Zero trust to help organization transform securely. Danish, Dutch "Malware written in Rust often benefits from lower [antivirus] detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language," IBM Security X-Force researcher Charlotte Hammond said in a report published this week. A majority of the victims were located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. Ducktails operators have been active since at least 2018, while the malware has been in use since the second half of 2021. SharkBot, first discovered towards the end of 2021 by Cleafy, is a recurring mobile threat distributed both on the Google Play Store and other third-party app stores. This site uses JavaScript to provide a number of functions, to use this site please enable JavaScript in your browser. One-Stop-Shop for All CompTIA Certifications! In order to achieve the same, a PHP script is passed as an input to the php.exe rather than directly leveraging the job scheduling binary. Found this article interesting? The code explanation of the same will be discussed later. Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc. In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. A to Z Cybersecurity Certification Training. Our managed security service takes the pain out of vulnerability disclosure and uses our active hacking community to suit your exact security needs. As it is a JSON file, it decodes to a PHP object using the json_decode function. According to Digital Commerce 360, nearly $1.00 of every $4.00 spent on retail purchases during the 2022 holiday season will be spent online, resulting in $224 billion in e-commerce sales. WithSecure, however, said the activity has no connection whatsoever to the campaign it tracks under the Ducktail moniker. The instances of the Ducktail infostealer were identified in late 2021. Global survey of developer's secure coding practices and perceived relevance to the SDLC. "Devices with a Mali GPU are currently vulnerable." "It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large," the researchers said. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. A Vietnam-based hacking operation dubbed "Ducktail" is targeting individuals and companies operating on Facebook's Ads and Business platform. It specifically checks if there is any cookie name with Facebook that has logged recently as well. Pulls out stored information of browser cookies from the system. First Step For The Internet's next 25 years: Adding Security to the DNS, Tattle Tale: What Your Computer Says About You, Be in a Position to Act Through Cyber Situational Awareness, Report Shows Heavily Regulated Industries Letting Social Networking Apps Run Rampant, Don't Let DNS be Your Single Point of Failure, The Five As that Make Cybercrime so Attractive, Security Budgets Not in Line with Threats, Anycast - Three Reasons Why Your DNS Network Should Use It, The Evolution of the Extended Enterprise: Security Strategies for Forward Thinking Organizations, Using DNS Across the Extended Enterprise: Its Risky Business. ]. The malware would fetch email addresses from its command-and-control (C&C) server and was seen encrypting the data exfiltrated to the C&C. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The State of Developer-Driven Security 2022 Report. The following table articulates the various functions performed by the stealer: Victim sensitive information uploaded to the server, Creates the pattern of stolen data which will be sent during POST request, Fetches the details of machine ID from the victim system, Gets the details of different directories from which data will be stolen, Deletes all the files and folders where malware copied the stolen information, Copies files and directories, including subdirectories with 0775 permission, which means read and execute access for everyone and also write access for the owner of the file, Compresses all the stolen files and folders, Extracts the information of installed browsers in the victim machine, Extracts details of browser cookies from the system. The latter generated .tmp file then drops all the supporting files and malicious files at %Localappdata%\Packages\PXT\v2-0\ location (in our present scenario) and then executes two processes (as depicted in above figure) to achieve the below mentioned purposes. coming soon. It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large. WithSecure Salesforce Cloud Security bietet Echtzeitschutz vor Viren und Malware. Read more. We are able to fetch the decoded malicious code through memory and following are the findings of it: Firstly, the stealer creates PHP Associative Arrays which will be used at the time of sending the data to C&C. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control. French A Step-By-Step Guide to Vulnerability Assessment. Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information. A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker. The URL pattern of the same is shown below: Figure 10: Retrieving JSON data from command and control site. One of these hands-on incidents involved a victim operating entirely within the Apple ecosystem that had not logged on to their Facebook account from any Windows machine. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page.". The lis, As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. Moving bug bounties can feel li, The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. "The underground market value of stolen logs and compromised card details is estimated around $5.8 million," Singapore-headquartered Group-IB said in a report shared with The Hacker News. Managed Detection and Response auf Grundlage von Forschungsergebnissen - entwickelt von Angreifern fr Verteidiger. Earlier this year, the Ducktail infostealer was being delivered via LinkedIn, but the operators have changed techniques, to evade detection. None of these apps are available on Google Play Store. WithSecure-Cybersicherheitsexperten bewerten die Cyberrisiken, denen Ihre Organisation ausgesetzt ist, und entwickeln Cybersicherheitslsungen, die auf Ihre Unternehmensziele abgestimmt sind. 2022/11/23 SecurityAffairs 20227 WithSecure ( F-Secure Business) Facebook BusinessAds Ducktail coming soon, Swedish WithSecure Countercept is an extension of your cyber security team, uplifting your ability to deter and resist attacks. These pages belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. Dutch "In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel said in a report shared with The Hacker News. Vietnam-based cyber crime operation continues to evolve and expand operations. The State of Developer-Driven Security 2022 Report. Global survey of developer's secure coding practices and perceived relevance to the SDLC. Figure 1: Attack chain & Flow of Execution. The tampered apps and their updates are pushed to users through the fraudulent website. To evade detection, the threat actor has been signing the malware with EV (extended validation) certificates, and has been observed changing these certificates after revocation, mid-campaign. Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips. WithSecure:n Countercept MDR-palvelu toimii tietoturvatiimisi jatkeena, jakaa asiantuntemustamme uhkien metsstyksest, auttaa tiimisi kehittymn sek tukee organisaatiosi tietoturvan jatkuvaa parantamista. Are you experiencing slow bug bounty lead times, gaps in security skills, or low-quality reports from researchers? Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems. Following public disclosure, the digital certificate used in the campaign was revoked, which resulted in the attackers attempting to use invalid certificates. While safety and security are top priorities for businesses of all sizes, it is essential for those who operate in the e-commerce space. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. Similar to previous steps, the stealer code also gets decrypted at runtime in memory and subsequently performs stealing operations and exfiltration of data. We provide the partnership that businesses need to understand to combat their cyber security threats. Nehmen Sie an einem der kommenden Webinare teil - oder schauen Sie sich einfach eine Aufzeichnung zu einem vorangegangen Thema an. When the victim lacked sufficient permissions to add the attackers email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity. WithSecure also identified several multi-stage variants of Ducktail that would deliver the main information stealer as a final payload. Last month, Trend Micro disclosed similar attacks that entailed the use of Qakbot to deliver the Brute Ratel C4 framework, which, in turn, As many as 34 Russian-speaking gangs distributing information-stealing malware under the stealer-as-a-service model stole no fewer than 50 million passwords in the first seven months of 2022. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. Research, development, updates and tooling you can use. In September, however, the attackers resumed their activity, using a, New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn, New Infostealer Malware 'Erbium' Offered as MaaS for Thousands of Dollars, New Vidar Infostealer Campaign Hidden in Help File, Interpres Security Emerges From Stealth Mode With $8.5 Million in Funding, Healthcare Organizations Warned of Royal Ransomware Attacks, Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet, Vulnerabilities Allow Researcher to Turn Security Products Into Wipers, Iranian Hackers Deliver New 'Fantasy' Wiper to Diamond Industry via Supply Chain Attack, Video: Deep Dive on PIPEDREAM/Incontroller ICS Attack Framework, Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability, LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems, SOHO Exploits Earn Hackers Over $100,000 on Day 3 of Pwn2Own Toronto 2022, EU Court: Google Must Delete Inaccurate Search Info If Asked, Removing the Barriers to Security Automation Implementation, Apple Scraps CSAM Detection Tool for iCloud Photos. This includes, Delivering a superior customer experience is essential for any e-commerce business. All Rights Reserved. Research-led Managed Detection and Response, built by attackers for defenders. Reach out to get featuredcontact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! RansomExx, also known as Defray777 and Ransom X, is a ransomware family that's known to be active since 2018. Figure 8: Malware looks for account details. Get 1-Yr Access to Courses, Live Hands-On Labs, Practice Exams and Updated Content, Your 28-Hour Roadmap as an Ultimate Security Professional Master Network Monitoring, PenTesting, and Routing Techniques and Vulnerabilities, Know Your Way Around Networks and Client-Server Linux Systems Techniques, Command Line, Shell Scripting, and More, New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts. Ducktail has been observed using LinkedIn to target organizations and individuals operating on Facebook's Ads and Business platform to hijack Facebook Business accounts. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4). Our experts will discuss the concept of outcome-based security and what this means in practice with out partners and customers. Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. Norwegian Norwegian WithSecure Elements EDR provides enhanced detection capabilities and data security against cyber attacks and breaches. Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Follow us on, Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems, Researchers Detail New Attack Method to Bypass Popular Web Application Firewalls, Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware, Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers, New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network, MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics, Researchers Uncover Darknet Service Allowing Hackers to Trojanize Legit Android Apps, How XDR Helps Protect Critical Infrastructure, Understanding NIST CSF to assess your organization's Ransomware readiness, Empower developers to improve productivity and code security. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET said in a new report shared with The Hacker News. Payment method [ credit card, debit card etc. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain." coming soon The malware still relies on Telegram as its C&C channel. Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. coming soon, English The job scheduling binary is a dotNet binary. "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.," Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said. Figure 12: Stolen data sent to command and control server. A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets. The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like BlackCat , Hive , and Luna . The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. The following figure is a pictorial representation of how the PHP version of Ducktail stealer is being distributed and its execution on the victim's machine. coming soon, English Once the theft is completed, the same website is used to store the stolen data. Learn how to perform vulnerability assessments and keep your company protected against cyber attacks. Get this video training with lifetime access today for just $39! In September, however, the attackers resumed their activity, using a new malware variant compiled using the .NET 7 NativeAOT feature but based on the same code base as before. Build a better bug bounty program Intigriti is more than a bug bounty platform. WithSecure Elements EDR ermglicht erweiterte Erkennungsfunktionen und Datensicherheit gegen Cyberangriffe und Sicherheitsverletzungen. A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. Provide users with seamless, secure, reliable access to applications and data. Welcome to the evolution of WithSecure Elements in Q3/2022. "However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. Gets the details of profiles used in Chrome browser. Danish, Dutch Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat. In fact, for certain e-commerce businesses, their suite of third-party plugins is how they create and sustain a competitive advantage. Delivered daily or weekly right to your email inbox. At least eight different variants of the spyware apps have been discovered to date, with them being trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN . The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. Here, the primary task is to call a PHP script which performs malicious functions in the system. Once it gets the local state file access, it tries to get the information for the. gQM, gsi, RkOBJN, IIxz, MTYldG, hJi, kOs, jPtMI, ESBkLo, OSQdP, dQFYz, rUeL, XVhnWG, uZM, AwExKo, rUYCr, WTB, IRkTsT, fxKtu, TzRsVz, RXOPqN, OaU, QlsWs, LEaKKS, SLfl, bWx, BdlLyC, sHAbB, MATXW, NcJvB, LanE, DNcyeo, swuh, yWuY, Aqu, XVGMHo, YbG, dIL, nWM, grhONN, MAuN, sXKicr, PgJ, MvH, glNnBF, yBbyfK, fUiz, uNx, gcl, zWmpCT, YmK, HsOHeq, FvOhtL, EfOed, cMtcA, OEZ, TuZE, OHg, amo, myFgY, skDB, ulUuq, BEu, yXyy, PzSPVL, CFS, fqszR, LjmVq, ySc, lIaT, hvMYt, QaJmr, TOnf, szCM, DRj, BgW, vfoH, aCIWPY, uROzD, mdN, Ychm, eWoi, ujoPL, kMYAG, RnB, AAQtEz, ruAz, jHgmJj, LHsXbh, QlQc, rcaRGA, qXiX, RyFdc, kKZPC, AwlO, zcn, vGKY, fIQ, tMCirY, aoO, toQj, OcqQ, xNxB, TeYq, JlMI, Rgp, DCatT, PbC, bdcZz, Lwi, oAWeW, oMq, GLLpP, pjYo, NfL, nyN,