The Vietnamese threat actors behind the Ducktail stealer malware are involved in a new campaign that ran between March and early October 2023, targeting marketing professionals in India with the aim of hijacking Facebook business accounts.
“An important feature that distinguishes it is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as a programming language,” Kaspersky SAYS in a report published last week.
Ducktailalong with Duckport and NodeStealer, are part of a cybercrime ecosystem operating out of Vietnam, where attackers primarily use sponsored Facebook ads to spread malicious ads and deploy malware capable of steal victims’ login cookies and ultimately take control of their accounts.
Such attacks mainly target users who have access to a Facebook Business account. Fraudsters then use the unauthorized access to place ads for financial gain, perpetuating infections.
In the campaign documented by the Russian cybersecurity firm, potential targets looking for a career change were sent archive files containing a malicious executable disguised as a PDF icon to trick them into launch the binary.
Doing so results in a malicious file that stores a PowerShell script named param.ps1 and a decoy PDF document locally in the “C:\Users\Public” folder of Windows.
“The script uses the device’s default PDF viewer to open the decoy, pauses for five minutes, and then terminates the Chrome browser process,” Kaspersky said.
The parent executable also downloads and launches a rogue library named libEGL.dll, which scans “C:\ProgramData\Microsoft\Windows\Start Menu\Programs” and “C:\ProgramData\Microsoft\Internet Explorer\Quick Launch\User Pinned \TaskBar\” folders for any shortcuts (ie, LNK files) to Chromium-based web browsers.
The next stage involves modifying the browser’s LNK shortcut file by suffixing the “–load-extension” command line switch to launch a rogue extension masquerading as a legitimate one. Google Docs Offline add-on that flies under the radar.
The extension, for its part, is designed to send information about all open tabs to a server controlled by the actor registered in Vietnam and hijacking business accounts on Facebook.
Google Sues Scammers for Using Bard Lures to Spread Malware
The findings highlight a strategic shift in Ducktail’s attack methods and come as Google filed a lawsuit against three unidentified individuals in India and Vietnam for exploiting public interest in generative AI tools like Bard to spread malware through Facebook and obtain social media login credentials.
“The defendants distribute links to their malware through social media posts, advertisements (ie, sponsored posts), and pages, each of which offers downloadable versions of Bard or other Google AI products,” the company alleged in its complaint.
“When a user logged into a social media account clicks on the links displayed in the Defendants’ advertisements or on their pages, the links redirect to an external website where the a RAR archive, a file type, downloads to the user’s computer.”
The files in the archive include an installer file capable of installing a browser extension that is adept at hijacking victims’ social media accounts.
Earlier this May, Meta said it observed threat actors creating fraudulent browser extensions available on official web stores claiming to offer tools related to ChatGPT and that it detects and blocks more than 1,000 unique URLs from sharing its services.