Ducktail, a famous phishing campaign that hijacks Facebook accounts that run ad campaigns for businesses, is now spreading brand new information-stealing malware.
According to researchers, according to Scaler Z (opens in a new tab)Ducktail previously used LinkedIn to distribute malware written in .NET Core that would steal Facebook business account data stored in Web browser and extract it to the private Telegram channel, which acted as a malware command and control (C2) server, communicating with target systems to coordinate cyber attacks.
Now, however, it has been noticed that Ducktail is spreading a new variant of malware that can not only steal data adjacent to Facebook, but also other sensitive data stored in browsers, such as data related to cryptocurrency wallets, account information and basic system data.
Browser data theft
C2 has also been changed – data no longer goes to the Telegram channel, but rather to a JSON page that also stores account tokens and other data needed for cheating on the device.
Zscaler also claimed that the malware is hosted as an archive file uploaded to a legitimate file hosting service. The attackers, they say, made sure that the malware did not get tagged by anti-virus software loading into memory only.
Users can mitigate the damage caused by Ducktail and other malware by switching to anonymous browseror simply by making sure you are not saving sensitive information in the browser of your choice.
This is especially true because if the malware does infringe end point with a Facebook business account can search for additional sensitive financial data such as PayPal details. This includes amounts spent on certain purchases, verification statuses, and more.
In most cases, attackers who use malware try to trick people into downloading it by presenting it as subtitled files for movies, adult content, or cracks for illegal software.
While it’s true that the new Ducktail information thief can bypass antivirus software, software with built-in network protection can still be helpful by blocking access to suspicious sites that may contain it.
By: Hissing computer (opens in a new tab)