Employees with access to their organisation’s Facebook Business accounts should be on guard against hijacking attempts by a newly uncovered threat actor, dubbed Ducktail, according to research released today by researchers at WithSecure (formerly F-Secure).
WithSecure has been tracking Ducktail for some time and believes the group has been actively developing and distributing its malware for almost a year. The financially motivated gang appears to be based in Vietnam, and is targeting individuals and organisations operating on Facebook’s Ads and Business platform with spear-phishing emails.
Its modus operandi is to conduct research on individuals likely to have access to a Facebook Business account on LinkedIn, and then conducting spear-phishing attacks against those likely to have admin privileges.
“We believe that the Ducktail operators carefully select a small number of targets to increase their chances of success and remain unnoticed,” said Mohammad Kazem Hassan Nejad, a researcher and malware analyst at WithSecure Intelligence. “We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted.
“Many spear-phishing campaigns target users on LinkedIn. If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”
Ducktail works by using an infostealer malware which contains functionality that is specifically designed to take control of Facebook Business accounts – which may be a world first.
The malware itself is generally hosted on public cloud file storage services – an increasingly popular method – and is usually delivered as an archive file containing the malicious executable alongside related images, documents and video files – the names of which generally utilise keywords that are relevant to brand and product marketing and project planning.
The malware itself is written in .NET Core and compiled using its single file feature – which bundles dependent libraries and files into one single executable. This is not a common technique and Ducktail likely employs it to make the malware easier to run on all systems; to allow it to use Telegram as its command and control (C2) channel; and to attempt to bypass detection signatures.
Once on the victim system, Ducktail’s malware steals browser cookies from Google Chrome, Microsoft Edge, Brave Browser and Firefox, and takes advantage of existing authenticated Facebook sessions on the system to steal relevant information from the victim’s Facebook account that it can subsequently use to try to hijack any Facebook Business account to which the victim may have sufficient access. Note that it also attempts to bypass multifactor authentication, if enabled.
Ducktail then attempts to grant the threat actor’s email access to the Facebook Business account using one of two mechanisms. In both cases, this causes Facebook to email a link to the new address which, when interacted with, grants access. This is standard Facebook functionality and is exactly how someone would normally go about granting legitimate access to a colleague, so the platform’s security features do not pick up on it.
With access achieved, Ducktail attempts to grant itself admin and finance editor roles on the Facebook Business account, gaining unrestricted access and the ability to fully take over the victim organisation’s Facebook presence and use it for various purposes, which could include further malware distribution, theft, disinformation and fraud.
WithSecure said it had been unable to determine the success, or lack thereof, that Ducktail had had in actually getting past Facebook’s security features to take control of the targeted accounts, but the group has been actively developing its infostealer, presumably in an attempt to foil Facbook’s existing protections. It has shared its research with Facebook’s parent company, Meta.
WithSecure customers using its endpoint security services are already protected against Ducktail, but for users who are not customers, the immediate course of action is to review users added to your Facebook Business account by navigating to Business Manager > Settings > People, and revoking access for all unknown users.
Further technical information on Ducktail, including a list of the email addresses it has been using, MITRE ATT&CK techniques, and indicators of compromise, can all be accessed here.
