The Vietnamese threat actors behind the Duc
ail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.
Ducktail, alongside Duckport and NodeStealer, is part of a cybercrime ecosystem operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims’ login cookies and ultimately taking control of their accounts.
In the campaign documented by the Russian cybersecurity firm, potential targets looking for a career change are sent archive files containing a malicious executable that’s disguised with a PDF icon to trick them into launching the binary.
Doing so results in the malicious file saving a PowerShell script named param.ps1 and a decoy PDF document locally to the “C:\Users\Public” folder in Windows.
The findings underscore a strategic shift in Ducktail’s attack techniques and come as Google filed a lawsuit against three unknown individuals in India and Vietnam for capitalizing on the public’s interest in generative AI tools such as Bard to spread malware via Facebook and pilfer social media login credentials.
Earlier this May, Meta said it observed threat actors creating deceptive browser extensions available in official web stores that claim to offer ChatGPT-related tools and that it detected and blocked over 1,000 unique URLs from being shared across its services.
Source: https://thehackernews.com/
