New PHP Infostealer Malware Hijacking Facebook Business Accounts

The security experts at Zscaler have reported recently that they have discovered an information-stealing malware in the wild that is dubbed Ducktail, and this is malware is based on PHP. 

While for the distribution channel or medium, the threat actors are using pirated versions of legitimate applications and games to distribute this malware.

This PHP version of the malware, like the earlier versions that were based on .NetCore, is also designed to steal personal information from victims’ browsers.

It mainly targets the victim’s web browsers from which it steals sensitive data like:-

  • Saved browser credentials
  • Facebook account information

Attack Chain

An unknown Vietnamese threat actor is believed to have been behind Ducktail, which was detected on the threat landscape late in 2021. By the end of July 2022, WithSecure noticed the earlier Ducktail groupings that had previously occurred. 

The primary goal of the malware is to target and hack the following accounts:-

  • Facebook business accounts
  • Facebook advertising accounts

When the malware was first discovered, it used Telegram as a channel for sending information to the attackers but later versions switched to a different medium. In short, the threat actors use a new website that stores or hosts data in a JSON format to establish the connections.

Using the pirated or cracked versions of the following mentioned programs, the malware is injected by the threat actors into ZIP archives that are hosted on popular file-sharing websites:-

  • Microsoft Office
  • Games
  • Pornography

Malware Functionalities

Here below we have mentioned all the functionalities of the malware:-

  • Fetches browser information installed in the system.
  • Pulls out stored information of browser cookies from the system. 
  • Targets Facebook Business accounts. 
  • Looks for crypto account information in the wallet.dat file. 
  • Collects and sends the data to the command and control (C&C) server.

A malicious PHP script gets activated when the victim executes the program installer. Now from the victim’s web browser, the threat actors steal the following sensitive data by running arbitrary code with the help of this malicious PHP script:-

  • Cryptocurrency wallets
  • Facebook Business accounts

Here below we have mentioned the details that the malware attempts to steal from the Facebook Business pages:-

  • Payment initiated
  • Payment required
  • Verification Status
  • Owner ad accounts
  • Amount spent
  • Currency details
  • Account status
  • Ads Payment cycle
  • Funding source
  • Payment method [ credit card, debit card etc.]
  • Paypal Payment method [email address]
  • Owned pages

Furthermore, this is yet another indication that the perpetrators of this malware are broadening the scope of their attacks. Apart from the above targets, regular Facebook users are also targeted in this updated version of the campaign.

There are constant modifications and other improvements being made by DuckTail developers to enhance their malware and make it more sophisticated and stealthy. Taking this approach will enable them to be more effective in infecting victims and stealing more information from them than ever before.

Cyber Attack with Zero Trust Networking – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.