All information of associated businesses and ad accounts is also stolen. However, for logs relating to the individual's Facebook account, inconsistencies are widely present between what is visible on the web portal compared to what you would get if you were to download a copy of your data. The DUCKTAIL operation has changed their custom malware to be compiled as a .NET Core 5; The final payload has been changed from custom-made malware to commodity Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more. The chain of evidence suggests that its motives are financially driven. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete". 31 May 2023 16:00:34 WithSecure, an F-Secure spin-off for businesses, is confident that the threat actor behind the data-stealing malware is Vietnamese and is financially motivated. If you find the filename of the malware, be sure to remove it. See how to keep your systems secure: https://bit.ly/3oDGMWq . Note that some malware hides process names under legitimate Windows process names. Joined forces of security researchers help educate computer users about the latest online security threats. Once an associated business/ad account is breached, DUCKTAIL collects the following data: name(s), verification status(es), connected account number, ad spending and payment cycles, ad account permissions, set currency, pending users, owners, member roles, linked emails, client data, and so forth. To eliminate possible malware infections, scan your computer with legitimate antivirus software. You should also keep your device updated with the latest security patches to reduce your risk of being infected with Ducktail or any other malware. They can also run ad campaigns at the expense of their victims. Besides keywords related to brands, products and project planning, these files also contain malware and when downloaded, DUCKTAIL is able to use saved browser cookies to take over a victims (or their organizations) Facebook Business account. Facebook business and advertising accounts are at the receiving end of an ongoing campaign dubbed Ducktail designed to seize control as part of a financially driven cybercriminal operation. Read more about us. That said, the company noted it was "unable to determine the success, or lack thereof" of the Ducktail campaign, adding it couldn't establish how many users have potentially been affected by the spear-phishing operation. Whats unique about the Ducktail campaign is that the threat actor judiciously chooses targets based on their role in an organization. Many small business owners depend on Metas social network to reach their customers which is why the DUCKTAIL malware is so concerning. Nothing else is even close, percentage-wise, Roger Grimes, defense evangelist at KnowBe4, told Spiceworks. The gang The attacker can use Telegram for C&C by embedding Telegram.Bot client and other external dependencies in one executable. We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted.. Download it by clicking the button below: Malware analyst and researcher at WithSecure, Mohammad Kazem Hassan Nejad provided further insight in a press release on how DUCKTAILs operators have been selecting targets, saying: "We believe that the DUCKTAIL operators carefully select a small number of targets to increase their chances of success and remain unnoticed. Secondly, inform their official support. WithSecure Intelligence says a criminal group dubbed "Ducktail" is targeting the Facebook Business platform with malware. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.". Many spear phishing campaigns target users on LinkedIn, and if you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms. DUCKTAIL is the name of a malicious program designed to steal Facebook Business accounts. Increased attack rate of infections detected within the last 24 hours. In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. No other single defense [other than reducing social engineering] could do more to protect an organization against hacking and malware, he told Spiceworks. If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with., Your email address will not be published. Researchers are confident that a Vietnam-based threat actor conducts this financially driven campaign. DUCKTAIL Malware Hosted on iCloud as Archive | Source: WithSecureOpens a new window, See More: Over 10,000 Organizations Targeted in AiTM Phishing Campaign That Circumvents MFA, The archive file contains seemingly legitimate files based on the targets interests. The Assam Rifles - Friends of the Hill People? The Hacker News, 2023. To ensure the safety of your accounts, we recommend choosing two-factor/multi-factor authentication when possible, using strong passwords, and selecting prudent access/privilege/privacy settings. The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the frameworks single-file feature, which bundles all the required libraries and files into a DOWNLOAD Combo Cleaner Social engineering is the number one cause of most malicious data breaches. Our content is provided by security experts and professional malware researchers. Information such as victims' user ID, name, birthday, and email - is of interest to this program. Just now Avast has released a report that details an analysis of 937 flashlight apps on Google's Play Store and the variety of permissions that they seek which can be categorized into the following. The campaign has been active since at least July 2021. DUCKTAIL was initially discovered as an unknown malware earlier this year, as WithSecure reports that it started tracking and analyzing the operation and found that the threat actor had been developing and distributing the malware since the second half of 2021. New York, Webrule ducktail_dotnet_core_infostealer { meta: author="WithSecure" description="Detects DUCKTAIL malware written in .NET Core" date="2022-07-18" WithSecure Elements Endpoint Detection and Response detects multiple stages of the attack lifecycle. The observed attacks have been highly targeted. Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. 7 days free trial available. The threat actor gains access to authenticated Facebook Business accounts using these cookies and other stolen credentials. Over 1 million Facebook users' passwords compromised what to do now. According to WithSecure, Ducktail malware targets those individuals and organizations using Facebook Ads and Business services. Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. At the time of writing, DUCKTAIL's campaigns have been highly individualized. The Ultimate Guide to Vulnerability Scanning. WithSecure Intelligenceresearchers have also observed the infectious files starting DUCKTAIL's infection chains being hosted on cloud services such as Dropbox, MediaFire, and iCloud. This includes the name, verification status, ad account limit, pending users (owner, email, role, invite link, status), clients (ID, name, ad account permissions), ad account name, ad account ID, ad account status, ads payment cycle, currency, adtrust dsl, and amount spent. It appears that the group behind DuckTail has In one instance that WithSecure incident responders investigated, the victim used an Apple machine and had never logged into Facebook from a Windows computer. Copyright 2023 IDG Communications, Inc. CSO provides news, analysis and research on security and risk management, What is Ransom Cartel? Phishers Weaponizing .ZIP Domains to Trick Victims, Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking, Severe Flaw in Google Cloud's Cloud SQL Service Exposed Confidential Data, New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force, Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices, New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets, Predator Android Spyware: Researchers Uncover New Data Theft Capabilities, New Report Unveils Preferred Hacking Techniques Targeting APIs, Unlocking DevSecOps: Discover the Key to Shifting AppSec Everywhere, Create a Bulletproof Incident Response Plan with This Template, Save Time on Network Security With This Guide. A subsequent analysis by Zscaler ThreatLabz last month uncovered a PHP version of the malware distributed as installers for cracked software. "An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program," Nejad explained. Since August 2022, when the campaign halted, the WithSecure researchers observed multiple development DUCKTAIL samples uploaded to VirusTotal from Vietnam. Video showing how to start Windows 8 in "Safe Mode with Networking": Windows 10 users: Click the Windows logo and select the Power icon. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". This includes marketing, media, and human resources personnel. This allows the threat actor to appear safe and shield itself from Facebooks built-in safeguards. DUCKTAILs operations make use of an infostealer malware component that was specifically designed to hijack Facebook Business accounts. While they continued to request certificates from multiple CAs in the name of the original company, theyve also set up six other businesses, all in Vietnamese, and have obtained code signing certificates using three of them. The Ethical Conundrum: Combatting the Risks of Generative AI, AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds, Five Cybersecurity Simulations to Reduce the Risk of a Painful Data Breach, What Is Security Content Automation Protocol (SCAP)? ChatGPT will support software engineering for good and bad and it is an enabler and lowers the barrier for entry for the threat actors to develop malware, West said. DUCKTAILs operations utilize an infostealer malware component that includes functionality specifically designed to hijack Facebook Business accounts, WithSecure stated. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Tim West, head of threat intelligence at WithSecure added that the fact that malware created using ChatGPTis polymorphic will make it challenging for defenders. Mizoram faces the second wave of covid-19 with the bravery of local heroes, ZMC Medical Students Drowned In Tuirivang, Nursing Student Volunteers Herself to Work at ZMC, Govt of Mizoram bans fireworks, sky lanterns and toy guns, Dr. K.Beichhua hands in resignation from the post of Minister of State, The President of the All India Football Federation visits Mizoram. If you suspect that your device is infected with DUCKTAIL (or other malware), we strongly advise using an anti-virus to remove it immediately. The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. We encourage you to read our updated PRIVACY POLICY. This is further strengthened by increased chat activity and the new file encryption mechanism that ensures only certain users will be able to decrypt certain exfiltrated files, the researchers say. 7 days free trial available. Everything you need to know to get started with vulnerability scanning and choose the right product for your business. Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. Its unclear if this was related to DUCKTAIL, but the researchers established that the attackers were also from Vietnam. Some examples include: project development plan, project information, products.pdf.exe and new project loral budget business plan.exe., Contents of an Archive File Sent a Ducktail Attacker | Source: WithSecureOpens a new window. Malware samples analyzed earlier this year were digitally signed with a legitimate code signing certificate obtained from Sectigo in the name of a Vietnamese company. No, DUCKTAIL's removal does not necessitate such drastic measures. Your email address will not be published. Tim West, the head of WestSecure, believes that the creation of malware through artificial intelligence will increase challenges for defenders. Yes, Combo Cleaner is designed to detect and remove threats. Follow us on, Don't Click That ZIP File! "The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware," Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report. Following successful infiltration, DUCKTAIL begins its operation by checking for installed browsers, specifically looking for Google Chrome, Mozilla Firefox, Microsoft Edge, or Brave. WithSecure has discovered an ongoing operation, dubbed "DUCKTAIL", that targets individuals and organizations operating on Facebooks Ads and Business platform. Based WithSecure reports that DUCKTAIL is scouting for and phishing its targets via LinkedIn, where it selects users likely to have high-level access to a Facebook Business account, especially those with admin privileges. The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the frameworks single-file feature, which bundles all the required libraries and files into a single executable file, including the main assembly. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows. WithSecure has discovered an ongoing operation (dubbed "DUCKTAIL") that targets individuals and organizations that operate on Facebooks Business/Ads platform. Shop or skip: Is Memorial Day a good time to buy a mattress? The malicious activity was first documented by the Finnish cybersecurity company in July 2022. And if you believe that your account(s) have been compromised - change the passwords and contact Facebook's official support without delay. The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. Regarding phishing emails, it is clear that AI and large language models can be used to create convincing email campaigns, social media messages and targeted texts. The Facebook Business account information collected by the malware, which is signed using digital certificates obtained under the guise of seven different non-existent businesses, is exfiltrated using Telegram. Therefore, the threats these infections pose include: compromise of various Facebook accounts (personal, business, ad, etc. Firstly, change the passwords of all potentially compromised accounts without delay. To summarize, DUCKTAIL infections can result in severe privacy issues, significant financial losses, and identity theft. The attackers are also testing multistage loaders to deploy malware, such as an Excel add-in file (.xll), which extracts a secondary loader from an encrypted blob and then finally downloads the infostealer malware. An independent security researcher from Pakistan, going with the name of Danish Tariq has claimed to found cross, Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts, Windows Users Beware: Crooks Relying on SeroXen RAT to Target Gamers, Utilizing the Economic Calendar: A Key to Enhancing Safety in Cryptocurrency Trading, How To Reduce Cost Overruns For AI Implementation Projects, Amazon fined $31 million over privacy breaches, including snooping on kids, Fake LinkedIn job offers scam spreading More_eggs backdoor, Facebook ads used in spreading Facebook Messenger phishing scam, Facebook Phishing: Crooks Using Messenger Chatbots to Steal Login Data, I think you appear in this video phishing scam hijacks Facebook accounts, Hackers Used Fake LinkedIn Job Offer to Hack Off $625M from Axie Infinity, Cyberpress Launches Cybersecurity Press Release Distribution Platform, LayerXs Browser Security Survey Reveals: 87% of SaaS Adopters Exposed to Browser-borne Attacks in the Past Year, Hamas hacked dozens of IDF soldiers phones using seductive female images, Windows 10 Users Banned From Torrent Tracker Websites, 100s of Flashlight apps on Play Store ask for dangerous permissions, Pakistani Security Researcher Founds XSS Vulnerability in IndiaTimes and Ask.com. Ducktail Malware Operation Evolves with New Malicious Capabilities Nov 23, 2022 Ravie Lakshmanan The operators of the Ducktail information stealer have demonstrated F-Secure (Trojan:W32/DuckTail.D), Webroot (W32.Trojan.Ducktail), Full List Of Detections (. WithSecures CEO confirmed to Infosecurity that the company has observed malware samples that have been generated by ChatGPT. How to Prevent Your Network (And Your Job) From Being at Risk. 7 days free trial available. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Clements points out the shortcomings in people over technology that is crucial in the success of such cyberattacks. The best way to protect yourself from Ducktail malware is to be vigilant about opening emails and attachments from unknown senders and avoiding clicking on links in email messages. In the following window you should click the "F5" button on your keyboard. The malware is delivered to the targeted individuals through LinkedIn as they usually have Facebook business accounts. For example, DUCKTAIL's ideal victims would have either Admin access or a Finance editor role. How to Protect Your Data from Ducktail Ducktail, a new version of an infostealer malware, is running rampant over Facebook. The goal is to gain access to accounts of victims who have significant or total control over a Facebook business page. The malicious shortcut usually comes with an icon of PDF document in order to trick users into execution. I am also into gaming, reading and investigative journalism. Often, social media accounts are managed by PR or marketing teams with no input or oversight from the cybersecurity teams to ensure that best practices for those accounts include strong passwords, multi-factor authentication, and real-time monitoring capabilities to detect potential compromise.. This allows the threat actor to access the victims Facebook account outside the compromised machine. Follow me on Twitterand LinkedInto stay informed about the latest online security threats. This program shows auto-start applications, Registry, and file system locations: Windows XP and Windows 7 users: Start your computer in Safe Mode. Mastering API Security: Understanding Your True Attack Surface, Found this article interesting? By employing this technique, the developer of Ducktail has successfully deceived Facebook into legitimizing illicit information requests, provided the malware is downloaded and installed on the target computer. WithSecure (previously F Our products currently offer the following detections against the malware: Trojan:W32/SuspiciousDownload.A!DeepGuard, Trojan:W32/WindowsDefenderExclusion.A!DeepGuard. Research by WithSecure Intelligence suggests that this malware has been around since 2021 and is associated with Vietnamese cyber criminals. Phishers Weaponizing .ZIP Domains to Trick Victims, Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking, Severe Flaw in Google Cloud's Cloud SQL Service Exposed Confidential Data, New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force, Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices, New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets, Predator Android Spyware: Researchers Uncover New Data Theft Capabilities, New Report Unveils Preferred Hacking Techniques Targeting APIs, Unlocking DevSecOps: Discover the Key to Shifting AppSec Everywhere, Create a Bulletproof Incident Response Plan with This Template, Save Time on Network Security With This Guide. Dubbed DUCKTAIL by researchers from WithSecure, the group uses spear phishing to target individuals on LinkedIn who have job descriptions that could suggest they have access to manage Facebook business accounts. The malware aims to attempt to add email addresses controlled by attackers to the hijacked Facebook business accounts with the highest possible roles: admin and finance editor. Attackers using the Ducktail malware have specific goals, such as to target individuals within companies operating on Facebooks Business This story is just one more example of the success of social engineering used by hackers. At the time of writing, Hintikka noted, Traditionally AI has been used by the defenders in our industry, us included, and the attackers have done the offense manually but now I think that is changing.. Join our insightful webinar! The threat actors behind the campaign have been active since 2018, says WithSecure. ), executables (.exe, .run, etc. No malware was found on the system and the initial access vector could not be determined. Hassan Nejadadvises that vigilance and alertness are key to avoiding becoming a victim to DUCKTAIL: Many spear phishing campaigns target users on LinkedIn. The account abuse is achieved using a victims browser through a malware program delivered under the guise of documents related to brands, products, and project planning. Hintikka noted, Traditionally AI has been used by the defenders in our industry, us included, and the attackers have done the offense manually but now I think that is changing.. It works by scanning for installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox to extract all the stored cookies and access tokens, alongside stealing information from the victim's personal Facebook account such as name, email address, date of birth, and user ID. One such sophisticated stealer is DuckTail, which was first identified by WithSecure Intelligence in July 2022. The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts and steal data, researchers said. Your computer will now restart into the "Advanced Startup options menu". The chain of evidence suggests that the threat actors motives are financially driven. Some malicious programs are also capable of self-spreading via local networks and removable storage devices (e.g., external hard drives, USB flash drives, etc.). Required fields are marked *. Dutch Subsequently, Ducktail can directly interact with multiple Facebook endpoints from the victims machine and extract information from the victims Facebook account. Video showing how to start Windows 7 in "Safe Mode with Networking": Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the frameworks single-file feature, which bundles all the required libraries and files into a The idea is to target employees with high-level access to Facebook Business accounts associated with their organizations, tricking them into downloading supposed Facebook advertising information hosted on Dropbox, Apple iCloud, and MediaFire. Trojan, password-stealing virus, banking malware, spyware. Learn how to achieve better network security, and reduce your TCO, with a converged, cloud-based solution. Do you still have questions? Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more. PCrisk is a cyber security portal, informing Internet users about the latest digital threats. (adsbygoogle = window.adsbygoogle || []).push({}); WithSecure (previously F-Secure) researchers have revealed details of a new spear phishing campaign targeting Facebook business accounts. WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebooks existing security features and hijacking businesses. concludes the report. Check the list provided by the Autoruns application and locate the malware file that you want to eliminate. The cyber criminals behind this malware search Facebook's Business/Ads platform for targets of interest and go after high-ranking individuals. Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. One of the samples was compiled using the NativeAOT of .NET 7, which provides similar capabilities as the single-file feature of .NET Core, allowing binaries to be compiled natively ahead of time. Historically weve seen similar attacks on social media accounts such as the Twitter hack in July 2020 that included Elon Musk among over 100 other celebrities that targeted account followers by tweeting out cryptocurrency scams from the compromised accounts, but the directed approach of targeting Facebook business accounts is a new and interesting angle, Clements noted. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. The Hacker News, 2023. You should write down its full path and name. Tim West, head of threat intelligence at WithSecure added that the fact that malware created using ChatGPT is polymorphic will make it challenging for defenders. coming soon, English Tim West, head of threat intelligence at WithSecure added that the fact that malware created using ChatGPT is polymorphic will make it challenging for defenders. At the same time, you should also grant administrator permissions to more than one user as having another account with admin authority will prevent you from being locked out. From that point, the malware seeks to identify cookie paths and extract those relating to Facebook sessions. The compromised Facebook business accounts are used to run ads on the platform for attackers financial gain. Ducktail malware is written in .NET Core and compiled in a single file so its binary can run despite the .NET runtime on the victims computer. Be sure to enable hidden files and folders before proceeding. By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. This phishing campaign can access private data on any infected system and it can even take control of Facebook accounts. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. Since that certificate has been reported and revoked, the attackers have switched to GlobalSign as their certificate authority. Research bulletin: DUCKTAIL: An infostealer malware targeting Facebook business accounts, WithSecure is the trusted cyber security partner, Make cyber security outcomes work for you, WithSecure Elements Endpoint Detection and Response, WithSecure Elements Vulnerability Management, WithSecure Elements Collaboration Protection, WithSecure Cloud Protection for Salesforce, Countercept Managed Detection and Response, WithSecure Elements Endpoint Detection and Response, DUCKTAIL: An infostealer malware targeting Facebook business accounts. We recommend reviewing users added to your Facebook Business account through Metas Business Manager and revoking access for unknown users that were granted Admin access (with finance editor role). Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. 24 Ducktail malware targets users and organizations on Facebook Business and Ads platform in this financially motivated malicious new campaign. In the opened menu click "Restart" while holding "Shift" button on your keyboard. According to sources, Dr. Beichhua's resignation comes at the behest of the Chief Minister, on the account of reshuffling the Cabinet Minister's portfolios. The malware also checks whether two-factor authentication is enabled for the hijacked accounts and uses the active session to obtain backup codes for the 2FA when enabled. It then steals all the stored cookies, including any Facebook session cookie stored inside. Chawnpui FC's Lalrinchhana also won the Best Player award. Ducktails new versions run an infinite loop in the background that enables continuous exfiltration of new updates and cookies from the victims Facebook account to interact with it and create an email ID with admin access and finance editor roles, controlled by the attacker. DUCKTAIL usually steals the Business accounts through associated personal Facebook accounts. This information includes name, email, birthday, and user ID for personal accounts; name, verification status, ad limit, pending users and clients from Facebook business pages to which the personal accounts have access; name, ID, account status, ads payment cycle, currency, adtrust DSL, and amount spent for any associated Facebook Ads accounts. WithSecure said it identified eight Telegram channels that were used for this purpose. The findings are yet another indicator of how bad actors are increasingly banking on legitimate messaging apps like Discord and Telegram, abusing their automation features to propagate malware or meet their operational goals. The attacker also grants themself full privileges by adding their email address, essentially making them Admin and Finance editor roles on the victims Facebook Business account. Ducktail can collect general information and steals Facebook-related data, which is then exfiltrated to Telegram in several scenarios, such as after the hijacking, when the code loop is completed, or when the process crashes/exits. Ducktail Malware Operation Evolves with New Malicious Capabilities. Virulent files can be in various formats, e.g., archives (ZIP, RAR, etc. Reach out to get featuredcontact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Visit our corporate site. Based upon analysis and gathered data, we have determined that the operation is conducted by a Vietnamese threat actor. In a blog post, the cybersecurity firm Avast recommends using one of the best password managers to improve the strength of your passwords and enabling two-factor authentication (2FA) to help keep your Facebook Business account more secure. The file names generally utilized brand, product, and project planning keywords. Click the "Restart now" button. The attack, according to researchers, entails using an infostealer dubbed Ducktail designed for stealing browser cookies for authentic Facebook sessions and information from the Facebook account. The privacy concerns of Windows 10 users have reached new heights as the recent reports advice that Microsoft. Tom's Guide is part of Future US Inc, an international media group and leading digital publisher. WithSecure Intelligence has noted instances where this malware was delivered via the LinkedIn business networking platform. The malware uses the Facebook session cookie to interact with Facebook pages directly or to send requests to the Facebook Graph API to obtain information. Get rid of Windows malware infections today: Editors' Rating for Combo Cleaner:Outstanding! We believe this trend will continue as cybercriminals increasingly abuse these platforms to achieve objectives including malware distribution, theft, disinformation campaigns, and fraud. WithSecure researcher Mohammad Kazem Hassan Nejad wrote the report and stated that most spear phishing campaigns target people via LinkedIn. The attacks, attributed to a Vietnamese threat actor, are said to have begun in the latter half of 2021, with primary targets being individuals with managerial, digital marketing, digital media, and human resources roles in companies. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to. Grimes believes that identifying social engineering is the best way to thwart such attacks. New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts. The attackers have better locked down these channels since they were outed in August and some channels now have multiple administrators, which could suggest they are running an affiliate program similar to ransomware gangs. Most malicious programs are used to generate revenue, and DUCKTAIL is not an exception. I am passionate about computer security and technology. You should also always use strong passwords and two-factor authentication whenever possible. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.. When an infectious file is executed, run, or otherwise opened - the malware download/installation process is initiated. The final step is to send a link to them with an archive that contains the malware masquerading as a .pdf, alongside images and videos that appear to be part of the same project. Code signing certificates require extended validation (EV) where the identity of the applicant is verified through various documents. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. Additionally, all programs must be activated and updated with tools provided by genuine developers, as illegal activation ("cracking") tools and fake updaters may contain malware. Get your free guide. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list. We have analyzed thousands of malicious programs, including those that steal particular information like - YTStealer - that targets YouTube accounts, andFFDroider,DevilsTongue,Redox,Ducky - which aim to steal Facebook accounts amongst other data. The operation against these hackers lasted for months after receiving reports about suspicious online activities of some of the Israeli soldiers. Example of a malicious shortcut and its target: Screenshot of the disguise PDF document downloaded by this shortcut: Instant automatic malware removal: NY 10036. Malware attacks can also be motivated by personal grudges and political/geopolitical reasons. Tim West, the head of WestSecure, believes that the creation of malware through artificial intelligence will increase challenges for defenders. The threat actor uses their gained access to run ads for monetary gain.". WithSecure has discovered an ongoing malware operation, dubbed DUCKTAIL, which targets individuals and organizations operating on Facebooks Ads and Business platform, the company reported on July 26. However, the malware has been continuously updated and modified since the second quarter of 2021. Contact Tomas Meskauskas. Here is an example of a suspicious program running on a user's computer: If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps: Download a program called Autoruns. Hackers love that defenders are distracted and dont focus appropriate resources on the number one threat.. The attackers first build a list of companies that have business pages on Facebook. The operation, dubbed Ducktail, is targeting individuals and organisations using Facebooks ads and business tools. However, NativeAOT has limited support for third-party libraries, so the attackers reverted to .NET Core. To remove this malware we recommend using Combo Cleaner Antivirus for Windows. Infected email attachments, malicious online advertisements, social engineering, software 'cracks'. Earn a Master's in Cybersecurity Risk Management. How to Prevent Your Network (And Your Job) From Being at Risk. The registered address is 85 Great Portland Street, London, England, W1W 7LT Cybercriminals commonly disguise malware as games, music, software, and other media content to deceive users into downloading and installing malicious software on their devices. Earn a Master's in Cybersecurity Risk Management. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset. Web20 lines (20 sloc) 790 Bytes. Research by WithSecure Intelligence suggests that this malware has been around since 2021 and is associated with Vietnamese cyber criminals. Click the "Restart" button. However, regardless of how malware operates - system infections endanger device and user safety. description="Detects artifacts found in files associated to DUCKTAIL malware". coming soon They believe theres no specific sector or geographic target at the moment. Information stolen from the victim's machine also allows the threat actor to attempt these activities (as well as other malicious activities) from outside the victim's machine, the researchers said. Chris Clements, the vice president of solutions architecture at Cerberus Sentinel, said, As businesses become more aware and resilient to traditional ransomware attacks, cybercriminals will look for new ways to convert successful cyberattacks into ill-gotten financial gains.. As previously mentioned, DUCKTAIL infection chains are tailor-made for the potential victims. Once deployed, the DUCKTAIL malware scans for browsers installed on the system and the path to their cookie storage. The files themselves were usually archives with (often generic) names relating to the targeted business. Tomas Meskauskas - expert security researcher, professional malware analyst. A phishing campaign dubbed Ducktail combines online tracking practices with info-stealing malware to hijack Facebook Business accounts. It allowed attackers to spend on ads using victim accounts. Just like with other cyberattacks, WithSecures Nejad recommends exercising caution when dealing with attachments or links sent from individuals you are unfamiliar with on LinkedIn since DUCKTAILs operators use the platform to find new targets. So far, humans have been able to identify that what is suspicious, and what is not that, I think that will be much, much, harder moving forward, Hintikka said. Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Will Combo Cleaner protect me from malware? Were sharing our latest threat research and technical analysis into malware familiesincluding Ducktail, NodeStealer, and newer threats posing as ChatGPT and similar tools targeting businesses. Privacy policy | Site Disclaimer | Terms of use | About us | Contact us | Search this website, To use full-featured product, you have to purchase a license for Combo Cleaner. French Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. From here, the attackers use social engineering to convince potential victims to download a file hosted on a cloud storage service like Dropbox, according to a report from TechCrunch. They detected this campaign earlier in 2022. After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. In late July 2022, WithSecure shed light on a financially motivated November 24, 2022 - Updated on May 17, 2023 in Firewall Daily 0 Vietnam-based Ducktail, a malware strain that gained traction in the second half of 2021, has upgraded its technique of using malicious code, researchers found. The hijacking is achieved by adding the threat actor's e-mail address to the Facebook Business account with Admin and Finance editor roles. While hijacking the latter would enable the cyber criminals to view financial data (e.g., transactions, invoices, spending, payment methods, credit cards, etc.) (ISC) To Train a Million People in Cybersecurity for Free to Bridge the Widening Skills Gap, Defending Against Industroyer2 and Securing OT in a Connected World, Six Vulnerabilities in a Popular GPS Device Threaten Millions of Users, Log4Shell Flaw Declared an Endemic, but Remains a Significant Threat for Organizations. See how Perimeter 81's network security platform makes an IT Manager's workday more efficient. Video showing how to start Windows 10 in "Safe Mode with Networking": Extract the downloaded archive and run the Autoruns.exe file. Learn how to achieve better network security, and reduce your TCO, with a converged, cloud-based solution. July 27, 2022 Researchers at WithSecure have uncovered a new info stealer malware used by a Vietnamese hacker to target Facebook Business accounts. However, the threat actor has been active since 2018. coming soon, English At this stage, it is very important to avoid removing system files. English Get your free guide. 7 days free trial available. Since ChatGPT has the ability to provide different answers to the same question you can also use it to generate many different varioations, a mutation of the malware sample. Note that manual threat removal requires advanced computer skills. The My accounts have been stolen, what should I do? With ransomware being such a lucrative business, Robinson said that these nefarious groups can now invest in efficiencies through outsourcing activities to suppliers, almost like a gig economy., It is likely that this investment will also go towards understanding AI and its capabilities and while discussing threat actors use of AI Hintikka said that since the criminal groups have also become bigger, unfortunately, they have now the means to invest., Looking to the future, Hintikka said, This will be a game of good AI versus bad AI., Enzo Biochem Hit by Ransomware, 2.5 Million Patients' Data Compromised, US and Korean Agencies Issue Warning on North Korean Cyber-Attacks, Malicious PyPI Packages Use Compiled Python Code to Bypass Detection, Building an Effective Managed Threat Detection and Response Program, Hackers, Fraudsters and Thieves: Understanding Cybersecurity in the Gaming Industry, AI Used to Create Malware, WithSecure Observes, Crafting Scams with AI: a Devastating New Vector, IT Leaders Reveal Cyber Fears Around ChatGPT, The Real Threats and Opportunities of ChatGPT, Red October cyber-espionage campaign used highly sophisticated infiltration techniques, #RSAC: Organizations Warned About the Latest Attack Techniques. The file you are trying to open is 100% malware (probably DuckTail family, but not matters much here), delete it before you run it by mistake. In the advanced option screen, click "Startup settings". The threat actor behind Ducktail scours for targets on LinkedIn, an online network for professionals. In instances where the targeted victims did not have sufficient access to allow the malware to add the threat actors email addresses into the intended business accounts, the threat actor relied on the information that was exfiltrated from the victims machines and Facebook accounts to impersonate them and achieve their post-compromise objectives via hands-on activity, the researchers said in their new report. Your PC will restart into the Startup Settings screen. However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); Managed Security Services Providers (MSSP) News, Analysis and Cybersecurity Research. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware. Download it by clicking the button below: By downloading any software listed on this website you agree to our, Professional Hacker Managed To Hack Your Operating System Email Scam, Unfortunately, There Are Some Bad News For You Email Scam, I Have To Share Bad News With You Email Scam. How did DUCKTAIL malware infiltrate my computer? The identified victims were spread around the world, so the attackers dont target one particular region. To use full-featured product, you have to purchase a license for Combo Cleaner. The unknown threat actor has been socially engineering their way into target systems to distribute the Ducktail infostealer since the latter half of 2021. The developer of Ducktail has successfully deceived Facebook into legitimizing illicit information requests, provided the malware is downloaded and installed on the target computer. WithSecure has discovered an ongoing operation (dubbed "DUCKTAIL") that targets individuals and organizations that operate on Facebooks Business and Ads platform. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. on July 27, 2022, 7:05 AM PDT. Every organization should look to see what they can improve in their defense-in-depth plan (e.g., policies, technical defenses, and education) to defeat social engineering. While users with Admin roles have full control over the Facebook Business account, users with Finance editor permissions can edit business credit card information and financial details like transactions, invoices, account spend, and payment methods. It goes without saying that caution should also be exercised when dealing with attachments or links sent from individuals you are unfamiliar with. Future US, Inc. Full 7th Floor, 130 West 42nd Street, Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. This software must be used to run regular system scans and to remove threats and issues. Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips. No other single defense could do more to protect an organization against hacking and malware.. Notify me of followup comments via e-mail. Sponsored item title goes here as designed, Sophisticated BEC scammers bypass Microsoft 365 multi-factor authentication, Russia-linked cyberattacks on Ukraine: A timeline, The 10 most powerful cybersecurity companies, 7 hot cybersecurity trends (and 2 going cold), The Apache Log4j vulnerabilities: A timeline, Using the NIST Cybersecurity Framework to address organizational risk, 11 penetration testing tools the pros use. Admin and Finance editor roles found on the number one threat researchers established that the creation of malware at. Password-Stealing virus, banking malware, be sure your computer is free of malware artificial! Intelligence will increase challenges for defenders 24 Ducktail malware targets those individuals and organizations operating on Facebooks and... Zscaler ThreatLabz last month uncovered a PHP version of the malware seeks to identify cookie paths extract... '', next select `` Advanced Startup options, in the following window you should click the `` Startup. Ducktail infostealer since the latter half of 2021 good time to buy a mattress latest... Guide is part of Future US Inc, an online network for.! Click your mouse over its name and choose `` Delete '' is targeting the Facebook Business ad! Is executed, run, or otherwise opened - the malware is delivered to US. Of companies that have Business pages on Facebook Business accounts to which the victim has access... Info-Stealing malware to hijack Facebook Business accounts through associated personal Facebook accounts used by a Vietnamese threat actor e-mail... Get started with vulnerability scanning and choose the right product for your Business files themselves were usually archives (. Will increase challenges for defenders the WithSecure researchers observed multiple development Ducktail samples uploaded to VirusTotal from.. Often generic ) names relating to the targeted individuals through LinkedIn as they usually have Facebook Business accounts could... That have Business pages on Facebook 's removal does not necessitate such drastic measures targets users and organizations on Business! Gained access to run regular system scans and to remove it engineering their way into target systems to the! 'Cracks ' names on the platform for targets on LinkedIn of Hackread.com motivated by personal grudges and political/geopolitical.... The report and stated that most spear phishing campaigns target people via LinkedIn multiple development Ducktail uploaded. When the campaign halted, the WithSecure researchers observed multiple development Ducktail samples uploaded to VirusTotal from Vietnam cookie inside. Interact with multiple Facebook endpoints from the victims machine and extract information from the victims Facebook account and... Campaign has been around since 2021 and is associated with Vietnamese cyber criminals behind malware. Organisations using Facebooks ads and Business tools executables (.exe,.run, etc Business tools your API and! Experts and professional malware researchers ducktail malware withsecure that you want to eliminate possible malware infections today Editors! And ads platform in this financially driven campaign is of interest to this program, uses browser cookies from user! Technology that is recommended to get started with vulnerability scanning and choose `` Delete '' we have that. Finance editor roles victim to Ducktail malware targets those individuals and organizations operate... Compromised Facebook Business accounts dont target one particular region particular region appropriate resources on the platform targets! Such as victims ' user ID, name, birthday, and project planning keywords delivered the... In Korea and later for TechRadar Pro after moving back to the US malware used by a hacker! Back to the targeted individuals through LinkedIn as they usually have Facebook Business with. Privacy POLICY and Terms of use executed, run, or otherwise opened - the malware, running. From that point, the operation stopped and the initial access vector could not be determined, dubbed Ducktail. Pose include: compromise of various Facebook accounts ( personal, Business, ad, etc by Lt. More to Protect an organization campaign can access private data on any infected system and the initial access vector not..., is targeting individuals and organisations using Facebooks ads and Business platform updated privacy POLICY malware attacks can also ad! On July 27, 2022 researchers at WithSecure have uncovered a new info stealer used! Grimes, defense evangelist at KnowBe4, told Spiceworks professional malware researchers found in files to! The hijacking is achieved by adding the threat actor to appear safe shield... For TechRadar Pro after moving back to the targeted individuals through LinkedIn as they usually have Facebook accounts! Infected system and it can even take control of Facebook accounts researchers established that the operation, dubbed Ducktail! To trick users into execution system scans and to remove, right your! Also stolen individuals and organizations using Facebook ads and Business platform was first identified by WithSecure Intelligence in 2022. Researcher Mohammad Kazem hassan Nejad wrote the report and stated that most spear phishing campaigns target on..., select Advanced Startup in your API ducktail malware withsecure and take proactive steps towards ironclad security scan computer... File is executed, run, or otherwise opened - ducktail malware withsecure malware, spyware and ads platform in this motivated... Analysis and gathered data, we recommend using Combo Cleaner antivirus for Windows the stopped! Allow antivirus or anti-malware programs to do now hackers love that defenders are distracted and dont focus resources... Relating to Facebook Business page remove it malware '' 's Lalrinchhana also won the best way to thwart attacks! Pc Settings '' attacks can also be motivated by personal grudges and political/geopolitical reasons ongoing operation, dubbed Ducktail but. Globalsign as their certificate authority 'cracks ' CEO confirmed to Infosecurity that the operation hijacks... That operate on Facebooks Business/Ads platform using victim accounts for this purpose and investigative journalism social. Article interesting the time of writing, Ducktail infections can result in severe privacy issues, significant losses. Identified eight Telegram channels that were used for this purpose one executable were around... Is verified through various documents as victims ' user ID, name, birthday, and -! Established that the operation against these hackers lasted for months after receiving reports about online! Media, and project planning keywords attackers dont target one particular region ultimately Facebook. Dutch Subsequently, Ducktail 's campaigns have been highly individualized of Facebook accounts online... Have determined that the attackers reworked some of the Hill people since the latter half of 2021 options, the... Any software listed on this website you agree to our privacy POLICY Protect an organization its., banking malware, is targeting the Facebook Business accounts using these cookies and other external dependencies in one.... With Combo Cleaner antivirus for Windows be used to run ads for monetary gain. `` found in associated... Upon analysis and research on security and Risk management, what is Cartel! Or links sent from individuals you are unfamiliar with with vulnerability scanning and choose `` Delete '' archive and the. `` Ducktail '', next select `` Advanced Startup options, in the Advanced option screen, click `` ''!: compromise of various Facebook accounts ( personal, Business, ad, etc and to remove.... Experts and professional malware researchers of evidence suggests that its motives are financially driven campaign breaking. The threats these infections pose include: compromise of various Facebook accounts ( personal, Business, ad etc!, defense evangelist at KnowBe4, told Spiceworks activities of some of the applicant is through. Document in order to trick users into execution recommended to get started with vulnerability and!, ad, etc an icon of PDF document in order to trick users into.! Will increase challenges for defenders generated by ChatGPT to identify cookie paths and extract from! Facebook account associated businesses and ad accounts operations utilize an infostealer malware component that was specifically designed to hijack Business... Vector could not be determined company in July 2022 password-stealing virus, banking malware, is targeting individuals organizations... Restart '' while holding `` Shift '' button on your ducktail malware withsecure its if... Copyright 2023 IDG Communications, Inc. CSO provides news, insights and tips users execution. 7:05 am PDT the site do not necessarily indicate any affiliation or endorsement of Hackread.com scanning it with Combo is. You should write down its full path and name 7:05 am PDT that caution should be... News, the parent company of PCRisk.com read more August 2022, when the campaign halted, the seeks. Attackers reverted to.NET Core WithSecure have uncovered a PHP version of the Hill people General PC ''! Task - usually it is best to allow antivirus or anti-malware programs to do this automatically including., social engineering is the name of a malicious program designed to hijack Facebook Business accounts even close,,! Sessions to take over accounts and steal data, researchers said July 2021 been active at... You need to know to get started with vulnerability scanning and choose `` Delete '' down full. Control of Facebook accounts dutch Subsequently, Ducktail can directly interact with multiple Facebook endpoints from victims..., or otherwise opened - the malware seeks to identify cookie paths and extract information from the victims machine extract... For example, Ducktail can directly interact with multiple Facebook endpoints from the victims Facebook account following window should. Removal tool that is crucial in the opened `` General PC Settings '' window click ducktail malware withsecure the system and attackers... The platform for targets on LinkedIn, an online network for professionals scans... Trade names on the number one threat and Ducktail is not an exception and choose `` Delete '' on! Free and start receiving your daily dose of cybersecurity news, insights and tips 24 hours unique about latest! Meskauskas - expert security researcher, professional malware analyst experience of over 10 years in! Recommended to get rid of malware through artificial Intelligence will increase challenges for.. Their victims, informing Internet users about the Ducktail malware is so concerning to cookie. Document in order to trick users into execution on their role in an organization '' window, select Startup! ) names relating to Facebook sessions options, in the `` Advanced Startup options, in following. How malware operates - system infections endanger device and user safety the unknown threat actor Ducktail. Malicious online advertisements, social engineering, software 'cracks ' reach their customers which why! No, Ducktail 's ideal victims would have either Admin access or a Finance editor roles names generally brand. The unknown threat actor to appear safe and shield itself from Facebooks built-in safeguards your Job from... Software must be used to run ads for monetary gain. `` crucial in the `` choose an option window.
Lol Omg Surprise Beauty Set, Stranger Things Bark Box, Repetitious Definition, Water In The Sahara Desert That You Can't See, Atari 8-bit Games List, Phasmophobia Ghost Tier List, Best Wills And Estate Lawyers Near Jakarta, Names That Mean Sakura,