"Targeted DUCKTAIL Campaign Uses Info-Stealer to Hijack Facebook Business Accounts"
WithSecure researchers discovered "DUCKTAIL," an ongoing operation that targets individuals and organizations using Facebook's Ads and Business platform. Based on its analysis and data collection, the company is confident that the operation is being carried out by a Vietnamese threat actor. The evidence suggests that the threat actor's motivations are financial. DUCKTAIL's operations make use of an info-stealer malware component with functionality designed specifically to hijack Facebook Business accounts. The info-stealer is designed to steal browser cookies and exploit authenticated Facebook sessions in order to steal information from the victim's Facebook account and, eventually, hijack any Facebook Business account to which the victim has sufficient access. DUCKTAIL has been discovered scouting for and phishing its targets on LinkedIn, where it selects users likely to have high-level access to a Facebook Business account, particularly those with admin privileges. According to the researchers, DUCKTAIL operators carefully select a small number of targets to increase their chances of success while remaining undetected. Individuals in managerial, digital marketing, digital media, and human resources roles in businesses have been targeted. WithSecure began tracking and analyzing the operation after it was discovered as unknown malware earlier this year, and found that the threat actor had been developing and distributing the DUCKTAIL-linked malware since the second half of 2021. Since then, the DUCKTAIL operation has continued to update and distribute the malware in an attempt to improve its ability to circumvent existing or new Facebook security features, as well as other implemented features. This article continues to discuss the new DUCKTAIL info-stealer and the growing popularity of social networks and media platforms among cybercriminals.