Researchers discovered a new campaign that targets people on one social media platform to target another platform. Named Ducktail, the ongoing operation has been attributed to a Vietnam-based financially motivated threat actor active since 2018.

Diving into details

  • The hackers connect with professionals on LinkedIn who could have access to Facebook business accounts. This typically includes “digital media” and “digital marketing” roles. 
  • The conversations with the target consist of using social engineering and deception to lure them into downloading a file on a legitimate hosting cloud hosting service.
  • The malware scans for browser cookies on Edge, Firefox, Chrome, and Brave; gathers system information; and targets Facebook credentials.
  • Ultimately, the malware runs through several Facebook pages to collect access tokens to use them for unhindered endpoint interaction.

Why this matters

Not only does the malware pilfer information from Facebook accounts, it hijacks them by adding the hacker’s email address to the compromised Facebook Business account. When adding the user, the malware adds permissions enabling the hacker to take complete control over the account. The threat actors leverage these privileges to replace the financial details so the payments could be directed to their accounts. 

Latest attacks on social media

  • Social media is a lucrative platform for cybercriminals, as displayed by the 105% rise in attacks since last year. 
  • Since early 2022, Turkish threat actor TA482 has been targeting the social media accounts of U.S.-based journalists and media organizations. 
  • The Axie Infinity hack was conducted by the North Korean Lazarus APT who used fake LinkedIn job offers to steal $625 million. 

The bottom line

Researchers believe that the Ducktail operators only want financial gain from their endeavors. The group has a narrow targeting scope and chooses its victims carefully, attempting to find people with admin privileges on their employers’ social media accounts. The threat actor has, furthermore, made several upgrades to the malware to improve its detection evasion capabilities.
Cyware Publisher