"New DuckLogs Malware Service Claims Having Thousands of 'Customers'"

A new Malware-as-a-Service (MaaS) operation called 'DuckLogs' is providing low-skilled attackers with easy access to multiple modules for data theft, keystroke logging, clipboard data access, and remote access to the compromised host. DuckLogs is completely web-based and claims that thousands of cybercriminals have paid a subscription to generate and launch over 4,000 malware builds. Some customers appear to receive additional services from the operators, such as assistance in distributing the payload, a tool for dropping files, and an extension changer. According to the web panel, over 2,000 cybercriminals are using the malicious platform, and the current victim count exceeds 6,000. DuckLogs primarily consists of an information stealer and a Remote Access Trojan (RAT), but it also includes over 100 individual modules that target specific applications. The RAT component includes functions for retrieving and running files from the command-and-control (C2) server, displaying a crash screen, shutting down, restarting, logging out, or locking the device, and opening URLs in the browser. Other DuckLogs modules include keystroke logging to steal sensitive information, a clipper, and a screenshot tool. The malware also supports Telegram notifications, encrypted logs and communication, code obfuscation, process hollowing to launch payloads in memory, a persistence mechanism, and a Windows User Account Control bypass, according to Cyble researchers. The web-based panel is currently available on four clearnet domains and appears to provide powerful payload-building features, including the ability to add modules and functions to the final malware build. This article continues to discuss findings surrounding the new DuckLogs MaaS.

Bleeping Computer reports "New DuckLogs Malware Service Claims Having Thousands of 'Customers'"