A financially motivated threat actor targeting individuals and organizations on Facebook’s Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them.
The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor’s primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.
WithSecure spotted Ducktail’s activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The disclosure forced Ducktail’s operators to suspend operations briefly while they devised new methods for continuing with their campaign.
In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22.
In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware.
“We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads,” says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence.
In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads.
“The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation,” Nejad says. “The threat actor could also use their newfound access to blackmail a company by locking them out of their own page.”
The tactic of Ducktail’s operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources.
The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. Users who fall for the lure end up having Ducktail’s information stealer installed on their system. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information.
The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. The malware collects similar information on any ad accounts associated with the compromised Facebook account.
The information stealer can “steal information from the victim’s Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles,” Nejad says. Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address — which, in this case, is controlled by the attacker. The threat actor uses that link to gain access to the account, according to WithSecure.
Threat actors with admin access to a victim’s Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. When a targeted victim might not have sufficient access to allow the malware to add the threat actor’s email addresses, the threat has actor relied on the information exfiltrated from the victims’ machines and Facebook accounts to impersonate them.
Building Smarter Malware
Nejad says that prior versions of Ducktail’s information stealer contained a hard-coded list of email addresses to use for hijacking business accounts.
“However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2),” hosted on Telegram, the researcher says. Upon launch, the malware establishes a connection to the C2 and waits for a duration of time to receive a list of attacker-controlled email addresses in order to proceed, he adds.
The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts.
Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts.