DUCKTAIL Malware Targeting HR Professionals Through LinkedIn Spear-phishing Campaigns

The cybersecurity firm, WithSecure has recently discovered an active operation, called DUCKTAIL. The goal of this campaign is to take over the Facebook business accounts that are responsible for advertising for a company. While accomplishing this goal, the operators behind this campaign primarily targeted professionals on LinkedIn.

Despite Ducktail’s narrow target scope and careful selection of their targets, the operators of Ducktail stay true to their own interests. Searching for people with admin privileges on the social media accounts associated with an employer to determine if they have admin rights.

This campaign is believed to have been carried out by a Vietnamese threat actor who has been active since 2021 and is known to operate campaigns like this. It appears that the motives of the threat actor are financially driven, based on the chain of evidence that leads to that conclusion.

DUCKTAIL Malware Targeting HR Professionals

In order to hijack Facebook Business accounts, DUCKTAIL makes use of an info stealer malware component. 

Withsecure is unaware of any previous instances of this type of functionality. This distinguishes DUCKTAIL from other malware operations that were based on Facebook in the earlier days. 

By taking advantage of authenticated Facebook sessions, the malware is able to steal information from the victim’s Facebook account by stealing cookies from the victim’s browser and by leveraging authentication cookies.

As a result, hackers have been able to hack any Facebook Business account the victim has access to, including those that are limited in access.

DUCKTAIL uses LinkedIn as a means of scouting for its targets and perpetrating phishing attacks. The Facebook Business account is selected by this method if it is likely that the user has access to the account at a high level, preferably via Admin privileges.

Here’s what the researcher for WithSecure Intelligence, Mohammad Kazem Hassan Nejad stated:-

“We believe that the DUCKTAIL operators carefully select a small number of targets to increase their chances of success and remain unnoticed. We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted.”

In order to replace the financial details set up by the threat actors, they leveraged their new privileges. Like this, they would be able to direct payments from the victims to their accounts or run advertisement campaigns on Facebook with the money received from the victims.

There is no doubt that social networks and media platforms are becoming increasingly popular. As a result, cybercriminals are attracted to taking advantage of these platforms in order to make money or financial gains by abusing them.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.