A new version of the Ducktail malware is being used in phishing attacks to steal data and take over Facebook accounts.
As reported by BleepingComputer (opens in new tab), this new campaign uses an updated version of Ducktail that is written in PHP instead of the older version written in NetCore that was used to target Facebook Business users over the summer.
In addition to your Facebook account and the data it contains, the Ducktail malware can steal other sensitive information stored in your browser like the credentials to your online accounts and even funds from some of the best crypto wallets.
Ducktail malware returns to target regular Facebook users
While the original Ducktail malware campaign was primarily used to target individuals and organizations using Facebook’s Ads and Business platform through social engineering on LinkedIn, this new campaign has a much larger scope and includes regular Facebook users in addition to Facebook Business users.
If the account in question turns out to be a business account instead of an ordinary one, Ducktail collects additional information about a victim’s payment methods, cycles, amounts spent, PayPal address and more.
In a blog post (opens in new tab), the cloud security company Zscaler provides further insight on how this new campaign differs from the previous one, saying:
“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large. Zscaler’s ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across.”
To infect your computer and steal your Facebook account, the cybercriminals behind this new Ducktail malware campaign use a number of fake lures to trick users into downloading malicious ZIP files. These malicious files pose as cracked or free versions of Microsoft Office and other software, games, subtitle files, adult content and more.
If a user does happen to unzip one of these Zip files, the Ducktail infostealer malware is installed in the background while they see a pop-up which reads “Checking Application Compatibility.” This malware is particularly dangerous, as it is able to achieve persistence and remain on a victim’s machine by adding scheduled tasks that are executed daily at regular intervals.
While the data exfiltrated from a victim’s computer used to be sent to Telegram, it is now stored in a JSON website controlled by the cybercriminals behind this new campaign.
How to protect yourself from Ducktail and other dangerous malware
As is often the case with other malware strains, you can protect yourself from this new version of the Ducktail malware by not downloading pirated software or games. This also includes game mods and cheats designed to give you an edge on the competition.
At the same time, you should remain vigilant when receiving new messages on LinkedIn and avoiding downloading files from sites or people you don’t know. Installing one of the best antivirus software suites can help keep you protected as these programs can flag malware as dangerous before it’s even installed on your system.
When it comes to protecting your credentials, you want to avoid storing your passwords inside your browser and use one of the best password managers instead. Besides storing your credentials securely, most password managers also allow you to create strong, complex passwords for each of your online accounts.
As phishing campaigns using the Ducktail malware have been quite successful and profitable for the cybercriminals who created it, expect to see even more campaigns targeting users in novel, new ways online.