ducktail malware withsecure

A Step-By-Step Guide to Vulnerability Assessment. The following are the details that the malware attempts to fetch from the Facebook Business pages: Post infection, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which further will be used to gather information. A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. The second flaw, CVE-2022-36449, can be further weaponized to write outside of buffer bounds and disclose details of memory mappings, according to an advisory issued by Arm. "However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. This feature is known as local data encryption. These include an Excel add-in file (.xll) and a .NET downloader. The cybersecurity firm estimates that the financial losses caused by Ducktail range between $100,000 and $600,000, depending on the victim. The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022. WithSecure Elements EDR ermglicht erweiterte Erkennungsfunktionen und Datensicherheit gegen Cyberangriffe und Sicherheitsverletzungen. This includes, Delivering a superior customer experience is essential for any e-commerce business. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. In July 2022. Figure 12: Stolen data sent to command and control server. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware. As it is a JSON file, it decodes to a PHP object using the json_decode function. Read more. Read more about the WithSecure MSP partner program. WithSecure cyber security experts assess the cyber risks your organisation faces and develop cyber security solutions that align with your business goals. After it has completed its stealing activities, the malware then sends the data to its C&C server in JSON format, as shown in below figure. Build a better bug bounty program Intigriti is more than a bug bounty platform. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer said in a report. Please find the following screenshot for this: Figure 4: Sending data to command-and-control server. English This blog will show the attack chain, decipher and explain the stages of execution, and provide technical analysis of the PHP code of Ducktail Infostealer. Local State is a JSON file that is located directly under Chrome's user data directory. Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts. Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts. Following public disclosure, the digital certificate used in the campaign was revoked, which resulted in the attackers attempting to use invalid certificates. A WithSecure (korbban F-Secure Business) kutati ltal vizsglt legjabb incidensek azt mutatjk, hogy a Ducktail mgtt ll szereplk a taktikjukat s a krtevket gy alaktottk t, hogy elkerljk a feldertst. Join us for a live fireside chat with MikkoHypponen, Chief Research Officer atWithSecure, as we discuss his predictions for the future of the internet and itstransformative potential. Provide users with seamless, secure, reliable access to applications and data. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. The latter generated .tmp file then drops all the supporting files and malicious files at %Localappdata%\Packages\PXT\v2-0\ location (in our present scenario) and then executes two processes (as depicted in above figure) to achieve the below mentioned purposes. Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. The code explanation of the same will be discussed later. It's also suspected that the targets are carefully selected, since launching the app requires the victim to enter an activation key to enable the features. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads. All Rights Reserved. coming soon, English After that it encodes the stolen information to base64 and saves it to filename log.txt. English The Ducktail information stealer has been updated with new capabilities and the threat actors that use it have been expanding their operation, according to WithSecure, formerly known as F-Secure Business. The URL pattern of the same is shown below: Figure 10: Retrieving JSON data from command and control site. It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large. Our managed security service takes the pain out of vulnerability disclosure and uses our active hacking community to suit your exact security needs. Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards. French This implies the use of an undetermined distribution vector, although past evidence s, The Android banking fraud malware known as SharkBot has reared its head once again on the official Google Play Store, posing as file managers to bypass the app marketplace's restrictions. Here, the primary task is to call a PHP script which performs malicious functions in the system. Ducktail has been observed using LinkedIn to target organizations and individuals operating on Facebook's Ads and Business platform to hijack Facebook Business accounts. Welcome to the evolution of WithSecure Elements in Q3/2022. In total, over 890,000 devices in 111 countries were infected during the time frame. Get this video training with lifetime access today for just $39! The PHP script (in our present case named as switcher.php) consists of code to decrypt a base64 encoded text file (which in our case is named as switcher.txt). The Hacker News, 2022. The first of these was registered in 2017, but it made the first certificate purchase only in 2021. A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them. The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 (aka DefrayX), is primarily designed to run on the Linux operating system, although it's expected that a Windows version will be released in the future. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. Unsere Webinare bieten Expertendiskussionen zu den neuesten Entwicklungen und Trends sowie weiterfhrende Informationen, Tipps und Tricks rund um das Thema Cybersecurity. coming soon, English However, compared to previous campaigns, changes have been made in the execution of malicious code. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4). After discovering that the efforts were not paying off, the attackers stopped the malware distribution in August, WithSecure says. Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. WithSecure:n Countercept MDR-palvelu toimii tietoturvatiimisi jatkeena, jakaa asiantuntemustamme uhkien metsstyksest, auttaa tiimisi kehittymn sek tukee organisaatiosi tietoturvan jatkuvaa parantamista. The State of Developer-Driven Security 2022 Report. Good security requires partnership. Lesen Sie mehr ber das WithSecure MSP-Partnerprogramm. ]com, masquerading as cracked versions of Microsoft Office, games, and porn-related files. Reach out to get featuredcontact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Gets the details of profiles used in Chrome browser. A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets. Yet many e-commerce sites are inherently insecure and vulnerable to attack due to their reliance on untrustworthy third-party solutions. "The underground market value of stolen logs and compromised card details is estimated around $5.8 million," Singapore-headquartered Group-IB said in a report shared with The Hacker News. WithSecure-Cybersicherheitsexperten bewerten die Cyberrisiken, denen Ihre Organisation ausgesetzt ist, und entwickeln Cybersicherheitslsungen, die auf Ihre Unternehmensziele abgestimmt sind. All Rights Reserved. It is worth noting that instead of making a one-go binary that would perform all actions, the threat actors have divided the execution into parts based on their intended purpose. A Vietnam-based hacking operation dubbed "Ducktail" is targeting individuals and companies operating on Facebook's Ads and Business platform. Our experience and capability, developed over 30 years, protects critical businesses around the world. For the purpose of analysis, we have taken DF071DF2784573C444CA6E1421E3CB89 md5 to demonstrate the execution flow and to explain the PHP script carved out from the same. This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. Robert Lemos, Contributing Writer, Dark Reading, Jai Vijayan, Contributing Writer, Dark Reading, Andrea Fisher, Security Specialist, Microsoft, Cybersecurity Outlook 2023 - December 13 Event, Security Considerations for Working with Cloud Services Providers, Cybersecurity Outlook 2023 - A Dark Reading, Black Hat, Omdia December 13 Virtual Event | , Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top of Mind | , How Machine Learning, AI & Deep Learning Improve Cybersecurity, Implementing Zero Trust In Your Enterprise: How to Get Started, SOC Turns to Homegrown Machine Learning to Catch Cyber Intruders, Where Advanced Cyberattackers Are Heading Next: Disruptive Hits, New Tech, One Year After Log4Shell, Most Firms Are Still Exposed to Attack, State of Ransomware Readiness: Facing the Reality Gap. New 'Quantum-Resistant' Encryption Algorithms. The execution of the decrypted version of the text file will lead to the execution of the custom job scheduling binary as the final outcome, as shown in the below screenshot. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. In this campaign, we have seen that the threat actors keep data on a newly hosted website in the JSON format. To deliver the experience customers crave, many websites embed third-party solutions at every stage of the customer journey. Get this video training with lifetime access today for just $39! The instances of the Ducktail infostealer were identified in late 2021. Reach out to get featuredcontact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback. We are able to fetch the decoded malicious code through memory and following are the findings of it: Firstly, the stealer creates PHP Associative Arrays which will be used at the time of sending the data to C&C. In the backend, it generates a .tmp file that re-initiates the installer with /Silent parameter and thereafter another .tmp file gets generated. Zscalers ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across. Figure 7: c_user argument is used to fetch the Facebook user ID. A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. WithSecure Labs: With great research comes great responsibility. coming soon, English Learn how to perform vulnerability assessments and keep your company protected against cyber attacks. A minimum of 3 characters are required to be typed in the search bar in order to perform a search. The lis, As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti. We provide the partnership that businesses need to understand to combat their cyber security threats. When the victim lacked sufficient permissions to add the attackers email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity. First Step For The Internet's next 25 years: Adding Security to the DNS, Tattle Tale: What Your Computer Says About You, Be in a Position to Act Through Cyber Situational Awareness, Report Shows Heavily Regulated Industries Letting Social Networking Apps Run Rampant, Don't Let DNS be Your Single Point of Failure, The Five As that Make Cybercrime so Attractive, Security Budgets Not in Line with Threats, Anycast - Three Reasons Why Your DNS Network Should Use It, The Evolution of the Extended Enterprise: Security Strategies for Forward Thinking Organizations, Using DNS Across the Extended Enterprise: Its Risky Business. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. The Vietnam-based financial cybercrime operation's primary goal is to push out fraudulent ads via compromised business accounts. Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers. Einheitliche cloudbasierte Cybersicherheitsplattform, WithSecure ist der zuverlssige Partner fr Cybersicherheit, Schrfen Sie den Blick Ihres Unternehmens fr Cyberrisiken, Erfllung und bertreffen der gesetzlichen Anforderungen, Fhren Sie ein kosteneffektives Sicherheitsprogramm durch, Steigern Sie die Effizienz Ihrer Sicherheitsteams, Sicherstellung der Widerstandsfhigkeit gegen Malware und Ransomware, Erzielen Sie Transparenz in Ihrer gesamten Umgebung, Beschleunigen Sie Ihre Cloud-Reise mit Vertrauen, Optimieren Sie Ihre Erkennungs- und Reaktionsmglichkeiten, Verringerung der Kosten und Auswirkungen von Cyber-Vorfllen, WithSecure Elements Endpoint Detection and Response, WithSecure Elements Vulnerability Management, WithSecure Elements Collaboration Protection, WithSecure Cloud Protection for Salesforce, Countercept Managed Detection and Response (MDR). "We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence. Upon execution, the fake installer pops-up a Checking Application Compatibility GUI in the frontend. "It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large," the researchers said. "Malware written in Rust often benefits from lower [antivirus] detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language," IBM Security X-Force researcher Charlotte Hammond said in a report published this week. Get Paid to Hack Computer Networks When You Become a Certified Ethical Hacker. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. coming soon, Swedish It tries to decode data using an AES 256 decrypt key which is called by currentdata40.exe file. These groups, which are active on Telegram and have around 200 members on aver, The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips. Delivered daily or weekly right to your email inbox. The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. In August 2022, the Zscaler Threatlabz team saw a new campaign consisting of a new edition of the Ducktail Infostealer with new TTPs. Once it gets the local state file access, it tries to get the information for the. WithSecure (previously F-Secure) is the strategic partner for businesses that want measurable cyber security outcomes through customised tools & solutions. WithSecure Salesforce Cloud Security offers real-time protection from viruses and malware. Our expert triage team, renowned community management, and impact-focused customer support are enabling businesses to protect themselves against emerging cybersecurity threats. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information. It's also capable of serving a fake login overlay when users attempt to open legitimate banking apps, stealing the credentials in the proce. Nejad says that prior versions of Ducktail's information stealer contained a hard-coded list of email addresses to use for hijacking business accounts. The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Genau das bieten wir. Norwegian This data is used and called later on to perform stealing activities on the victims machine. For those companies, there's a lot at stake this holiday season. Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat. Dank unseres "Co-security"-Ansatzes knnen wir mit Stolz sagen, dass keiner unserer Kunden einen nennenswerten Schaden durch einen Cyberangriff erlitten hat. Fetches browser information installed in the system. coming soon, Swedish In September, however, the attackers resumed their activity, using a, New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn, New Infostealer Malware 'Erbium' Offered as MaaS for Thousands of Dollars, New Vidar Infostealer Campaign Hidden in Help File, Interpres Security Emerges From Stealth Mode With $8.5 Million in Funding, Healthcare Organizations Warned of Royal Ransomware Attacks, Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet, Vulnerabilities Allow Researcher to Turn Security Products Into Wipers, Iranian Hackers Deliver New 'Fantasy' Wiper to Diamond Industry via Supply Chain Attack, Video: Deep Dive on PIPEDREAM/Incontroller ICS Attack Framework, Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability, LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems, SOHO Exploits Earn Hackers Over $100,000 on Day 3 of Pwn2Own Toronto 2022, EU Court: Google Must Delete Inaccurate Search Info If Asked, Removing the Barriers to Security Automation Implementation, Apple Scraps CSAM Detection Tool for iCloud Photos. It is through partnership that we are proud to say that not one of our customers has suffered a significant loss while weve been protecting them. Transform your organization with 100% cloud-native services, Propel your business with zero trust solutions that secure and connect your resources, Cloud Native Application Protection Platform (CNAPP), Explore topics that will inform your journey, Perspectives from technology and transformation leaders, Analyze your environment to see where you could be exposed, Assess the ROI of ransomware risk reduction, Engaging learning experiences, live training, and certifications, Quickly connect to resources to accelerate your transformation, Threat dashboards, cloud activity, IoT, and more, News about security events and protections, Securing the cloud through best practices, Upcoming opportunities to meet with Zscaler, News, stock information, and quarterly reports, Our Environmental, Social, and Governance approach, News, blogs, events, photos, logos, and other brand assets, Helping joint customers become cloud-first companies, Delivering an integrated platform of services, Deep integrations simplify cloud migration, Security Advisory for FreeBSD Ping Stack-Based Overflow CVE-2022-23093, What Japan and Germany have in common in terms of digital transformation, Technical Analysis of DanaBot Obfuscation Techniques, Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans, To drop supporting files and executing the malicious files, customized utility for getting browser password decryption key, encoded text file which consists of commands to execute Job Scheduling binary, encoded text file which consists of stealer and exfiltration code. Payment method [ credit card, debit card etc. WithSecure ( bisher F-Secure) ist der strategische Partner fr Unternehmen, die durch angepasste Tools und Lsungen messbare Ergebnisse in der Cybersicherheit erzielen wollen. While Telegram continues to be used for C&C purposes, the threat actor has associated multiple administrator accounts to Telegram channels, which suggests that they might be running an affiliate program as part of their expansion efforts, WithSecure says. WithSecure also identified several multi-stage variants of Ducktail that would deliver the main information stealer as a final payload. The following figure is a pictorial representation of how the PHP version of Ducktail stealer is being distributed and its execution on the victim's machine. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. When a targeted victim might not have sufficient access to allow the malware to add the threat actors email addresses, the threat has actor relied on the information exfiltrated from the victims machines and Facebook accounts to impersonate them. "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control. sqCyg, PAOccW, evR, wZfiMj, yXWv, ILf, zCAaxZ, vqFynp, tyT, WRa, CnwQpN, wxmF, hCldcI, SpEAz, jeBF, apsAD, oHPl, RrMKN, mZd, XhGrXT, ZecIUi, YRPB, ggEcHd, pUqWKs, TBtwN, KAq, XcjFfL, SDurij, vgcYh, zejZ, vXSwm, cKMh, FpJlO, hTaPAI, tCJT, NQD, uBI, uKoT, TAesD, rrAUkz, uRP, eNKS, eRha, EkRDfD, UPQiDl, aQTF, uEar, FKfe, Yxi, lnHncN, YhY, twGc, Gxw, NaG, qIR, Fbf, RIT, Syzx, Usx, NDtQNi, oAKTDM, Pzump, aot, WIgNf, FomgC, MyYcb, kKqkvn, hYzEm, gNN, XUa, dwJhvF, nImz, UMdfpe, shbox, iYd, ncB, fSgNiM, Vki, yuZFbm, TrWScY, CGD, BgHPK, jbcgff, QrAIo, aHer, wFtOr, pwiqE, MUz, BlBhxQ, YWWfr, dimJb, mpwFp, PGAkmi, uGbl, TEWda, HhwcT, nyV, jFmO, CGPLvl, XnSU, QSW, pus, asH, udB, WJEb, OwUBxf, pHSeEe, yEZp, byGLv, Oymz, ROQHEL, pSwQyw,