The component of Ducktail dedicated to extracting data from Facebook Business/Ads accounts directly interacts with various Facebook endpoints-either direct Facebook pages or API endpoints–from the victim’s machine using a stolen Facebook session cookie, researchers said. The first general information-stealing component scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox and, for each one it finds, extracts all stored cookies, including any Facebook session cookie. It first does Mutex creation and check to ensure that only a single instance of the malware is running at any given time, researchers said.Ī data storage component stores and loads stolen data in a text file in a temporary folder, while a browser-scanning feature scans installed browsers to identify cookie paths for later theft.ĭucktail also has two components dedicated to stealing info from victims, one that’s more general, stealing non-Facebook related information, and another that steals info specifically related to Facebook Business and advertising accounts as well as hijacks those accounts, researchers said. NET Core and compiled via its single-file feature, something “not commonly seen in malware,” they noted.ĭucktail operates using six key components once it infects a system. Researchers took a deep dive into the novel malware, which in its latest samples is written exclusively in.
#Critical ops facebook gameroom malware activity archive
To infiltrate accounts, actors are targeting LinkedIn users with a phishing campaign that lures victims using keywords related to brands, products and project planning into downloading an archive file containing the malware executable alongside related images, documents and video files, researchers reported. “These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar,” researchers wrote. Resources roles in targeted companies, researchers said. These include people with managerial, digital marketing, digital media, and human Ducktail actors have very specific targets in mind-that is, individuals within companies operating on Facebook’s Business and advertising platform that have high-level access to the account. “The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to,” researchers wrote in a blog post accompanying the report. The campaign itself appears to have been active since at least the second half of 2021, while the threat actors behind it may have been on the cybercriminal scene since 2018, researchers said. Researchers from WithSecure, formerly F-Secure, discovered the ongoing campaign, which appears to be the work of financially driven Vietnamese threat actors, they wrote in a report published Tuesday. The malware, dubbed Ducktail, uses browser cookies from authenticated user sessions to take over accounts and steal data, researchers said. A new malware is hijacking high-profile Meta Facebook Business and advertising platform accounts through a phishing campaign that targets LinkedIn accounts.