New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts

Cyber Security

A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler.

“Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.,” Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said.

Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts.

The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022.

While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP variant spotted in August 2022 establishes connections to a newly hosted website to store the data in JSON format.

Attack chains observed by Zscaler entail embedding the malware in ZIP archive files hosted on file-sharing services like mediafire[.]com, masquerading as cracked versions of Microsoft Office, games, and porn-related files.

Execution of the installer, in turn, activates a PHP script that ultimately launches the code responsible for stealing and exfiltrating data from web browsers, cryptocurrency wallets, and Facebook Business accounts.

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large,” the researchers said.