Ducktail, a threat group, has honed its tactics, targeting fashion industry marketing professionals through a sophisticated campaign. According to a Kaspersky report, the attack involves sending deceptive archives containing genuine product images alongside a camouflaged executable posing as a PDF.
Upon execution, the malware showcases a genuine embedded PDF, appealing to marketing professionals exploring job opportunities. However, its underlying objective is to install a stealthy browser extension capable of extracting Facebook business and ads account credentials, presumably for resale.
The campaign reveals a strategic shift by Ducktail, exhibiting an evolving sophistication in targeting specific professional demographics within the fashion industry.
Details of the Ducktail Malware Modus Operandi:
- The malicious file triggers a PowerShell script and a faux PDF file in the device’s public directory.
- The script, initiated by the default PDF viewer, displays the fake PDF, temporarily halts, and shuts down the Chrome browser.
- Simultaneously, deceptive browser extension files, posing as a Google Docs Offline extension, are saved to a Chrome directory, stealthily altering their hosting path.
- The core script covertly sends browser tab details to a command-and-control server.
Detecting Facebook-related URLs, the extension attempts to pilfer account details and cookies, leveraging tactics to bypass two-factor authentication, and transmitting stolen credentials to a Vietnam-based C2 server. - To enhance defenses against Ducktail cyberattacks, Amelia Buck, a threat intelligence analyst at Menlo Security, recommends behavioral analytics and heuristic monitoring for anomaly detection. Training marketing teams to recognize social engineering tactics, exercise caution with unsolicited files, and verify attachments before opening is crucial.
Buck underscores skepticism toward seemingly legitimate content and advises caution even with work-related files to mitigate deception risks. She emphasizes the importance of staff vigilance regarding browser extensions, advocating for multifactor authentication, cautious extension usage, and refraining from using work credentials for personal browsing.
Buck highlights password manager usage to fortify account security and avoid password reuse across compromised accounts.
Ducktail’s activities, active since May 2021, have targeted Facebook business accounts globally. The group, based in Vietnam, exhibits adaptability by leveraging LinkedIn and now WhatsApp for spear-phishing campaigns.
Recent findings from cybersecurity researchers have linked Ducktail to DarkGate RAT, substantiated by tactics, targeting approaches, and delivery methods, indicating an escalation in its cyber capabilities.