Ducktail cyber attackers add WhatsApp to the Facebook Business Attack Chain

A financially motivated attacker targeting individuals and organizations on the Facebook Ads and Business platform has resumed operations after a brief hiatus with a new bag of tricks to hijack accounts and profit from them.

Dubbed Ducktail, the Vietnam-based threat campaign has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. WithSecure (formerly F-Secure) security researchers tracking Ducktail have determined that the attacker’s main goal is to deceptively serve ads through Facebook business accounts that they gain control of.

Evolving Tactics

WithSecure discovered Ducktail’s activities earlier this year and published details of its tactics and techniques in a blog post in July. The disclosure forced Ducktail’s operators to temporarily suspend operations while they devised new methods to continue their campaign.

In September, Ducktail reappeared with changes to how it works and its detection bypass mechanisms. Far from slowing down, the group appears to have expanded its activities and added several partner groups to its campaign, WithSecure said in a Nov. 22 report.

In addition to using LinkedIn as an attack surface for spear phishing targets, as has been the case in previous campaigns, the Ducktail group has now started using WhatsApp to target users as well. The group has also tweaked the abilities of their primary information thief, introducing a new file format for it to evade detection. Over the past two or three months, Ducktail has also registered several fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates to sign its malware.

“We believe that the ducktail operation uses access to hijacked business accounts solely to make money by publishing deceptive ads,” says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence.

In situations where the attacker gains access to the financial editor role on a compromised Facebook business account, they also have the ability to alter business credit card information and financial details such as transactions, bills, account spending, and payment methods, Nejad says. This would allow the attacker to add more businesses to the credit card and monthly bills and use the linked payment methods to serve ads.

“The hijacked business could therefore be used for purposes such as advertising, fraud or even spreading disinformation,” says Nejad. “The attacker could also use their newfound access to blackmail a company by locking it out from their own site.”

Targeted Attacks

Ducktail operators’ tactic is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those organizations who they believe have high-level access to the account. Individuals typically targeted by the group include individuals with managerial positions or roles in digital marketing, digital media, and human resources.

The attack chain starts with the attacker sending the attacked person a spear phishing bait via LinkedIn or WhatsApp. Users who fall for the bait end up having Ducktail’s information thief installed on their systems. The malware can perform multiple functions including extracting all saved browser cookies and Facebook session cookies from victim computer, specific registration data, Facebook security token and Facebook account information.

The malware steals a wide range of information about all companies associated with Facebook account including name, verification statistics, ad spend limits, roles, invite link, client ID, ad account permissions, allowed tasks and access status. The malware collects similar information about all advertising accounts linked to the compromised Facebook account.

The information thief can “steal information from the victim’s Facebook account and hijack any Facebook business account the victim has sufficient access to by adding attacker-controlled email addresses with admin privileges and financial editor roles to the business account,” says Nejad. Adding an email address to a Facebook business account causes Facebook to email a link to that address – which in this case is controlled by the attacker. According to WithSecure, the attacker uses this link to gain access to the account.

Threat actors with admin access to a victim’s Facebook account can do a lot of damage, including full control over the business account; view and change settings, people, and account details; and even delete the company profile entirely, says Nejad. When a targeted victim may not have sufficient access to allow the malware to add the attacker’s email addresses, the attacker relied on the information exfiltrated from victims’ computers and Facebook accounts to infiltrate themselves than to spend them.

Develop smarter malware

Nejad says previous versions of Ducktail’s information thief contained a hard-coded list of email addresses intended to be used to hijack business accounts.

“However, in the most recent campaign, we observed that the threat actor removes this functionality and relies entirely on fetching email addresses directly from its command and control (C2) channel,” hosted on Telegram, says the researcher. On launch, the malware connects to the C2 and waits a period of time to get a list of attacker-controlled email addresses to proceed, he adds.

The report lists several steps organizations can take to mitigate the risk of Ducktail-style attack campaigns, starting with raising awareness of spear phishing scams targeting users with access to Facebook business accounts.

Organizations should also enforce whitelisting of applications to prevent unknown executables from running, ensure that any managed or personal devices used with Facebook company accounts have basic sanitation and protections, and use private browsing to authenticate each work session when accessing Facebook Business accounts.


Leave a Reply

Your email address will not be published. Required fields are marked *