The Vietnamese risk actors behind the Ducktail stealer malware have been linked to a brand new marketing campaign that ran between March and early October 2023, focusing on advertising professionals in India with an goal to hijack Fb enterprise accounts.
“An essential characteristic that units it aside is that, in contrast to earlier campaigns, which relied on .NET purposes, this one used Delphi because the programming language,” Kaspersky mentioned in a report revealed final week.
Ducktail, alongside Duckport and NodeStealer, is a part of a cybercrime ecosystem working out of Vietnam, with the attackers primarily utilizing sponsored advertisements on Fb to propagate malicious advertisements and deploy malware able to plundering victims’ login cookies and in the end taking management of their accounts.
Such assaults primarily single out customers who might have entry to a Fb Enterprise account. The fraudsters then use the unauthorized entry to put commercials for monetary acquire, perpetuating the infections additional.
Within the marketing campaign documented by the Russian cybersecurity agency, potential targets searching for a profession change are despatched archive recordsdata containing a malicious executable that is disguised with a PDF icon to trick them into launching the binary.
Doing so leads to the malicious file saving a PowerShell script named param.ps1 and a decoy PDF doc domestically to the “C:UsersPublic” folder in Home windows.
“The script makes use of the default PDF viewer on the system to open the decoy, pauses for 5 minutes, after which terminates the Chrome browser course of,” Kaspersky mentioned.
The mum or dad executable additionally downloads and launches a rogue library named libEGL.dll, which scans the “C:ProgramDataMicrosoftWindowsStart MenuPrograms” and “C:ProgramDataMicrosoftInternet ExplorerQuick LaunchUser PinnedTaskBar” folders for any shortcut (i.e., LNK file) to a Chromium-based internet browser.
The subsequent stage entails altering the browser’s LNK shortcut file by suffixing a “–load-extension” command line swap to launch a rogue extension that masquerades because the official Google Docs Offline add-on to fly below the radar.
The extension, for its half, is designed to ship details about all open tabs to an actor-controlled server registered in Vietnam and hijack the Fb enterprise accounts.
Google Sues Scammers for Utilizing Bard Lures to Unfold Malware
The findings underscore a strategic shift in Ducktail’s assault methods and are available as Google filed a lawsuit towards three unknown people in India and Vietnam for capitalizing on the general public’s curiosity in generative AI instruments reminiscent of Bard to unfold malware by way of Fb and pilfer social media login credentials.
“Defendants distribute hyperlinks to their malware by social media posts, advertisements (i.e., sponsored posts), and pages, every of which purport to supply downloadable variations of Bard or different Google AI merchandise,” the corporate alleged in its criticism.
“When a consumer logged right into a social media account clicks the hyperlinks displayed in Defendants’ advertisements or on their pages, the hyperlinks redirect to an exterior web site from which a RAR archive, a kind of file, downloads to the consumer’s laptop.”
The archive recordsdata embrace an installer file that is able to putting in a browser extension adept at pilfering victims’ social media accounts.
Earlier this Might, Meta mentioned it noticed risk actors creating misleading browser extensions obtainable in official internet shops that declare to supply ChatGPT-related instruments and that it detected and blocked over 1,000 distinctive URLs from being shared throughout its companies.