Ducktail

Malware updated 7 months ago (2024-05-04T16:24:07.156Z)

Download STIX

Preview STIX

"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates systems but also has the capability to automatically create and publish fraudulent ad campaigns. Furthermore, if Ducktail locates a Facebook Business account session cookie, it attempts to add the attacker to the account as an administrator. The use of Ducktail for cyber-attacks became more pronounced in July when threat actors began infecting devices of individuals and employees with access to Facebook Business accounts. Notably, these attacks were not limited to Ducktail; other malware samples like DarkGate, Lobshot, and Redline were used in these campaigns. The same threat actors are believed to be behind NodeStealer, another malware that targets Facebook business accounts for advertising fraud and spreading malware to other users on the social media platform. The emergence of Ducktail and similar malwares signifies a growing trend of Vietnamese threat actors exploiting social media platforms for cybercrime. In fact, this trend has escalated to the point where DarkGate is now sold as Malware-as-a-Service (MaaS) on various cybercrime forums. Cybersecurity firms such as WithSecure and Sekoia have published detailed reports on these threats, highlighting their automated nature and the increasing sophistication of contemporary malware.

Description last updated: 2024-05-04T16:23:36.107Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Facebook

Malware

Infostealer

Meta

Cybercrime

Chrome

Phishing

Kaspersky

Fraud

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Darkgate Malware is associated with Ducktail. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	5
The nodestealer Malware is associated with Ducktail. NodeStealer, a novel malware family first identified by Meta's security team in January 2023, is designed to exploit Meta's ad network on Facebook and poses a significant threat to user privacy and security. This malicious software operates as an info-stealer capable of hijacking browser cookies and	Unspecified	5
The Redline Malware is associated with Ducktail. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor	Unspecified	2
The Lobshot Malware is associated with Ducktail. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in	Unspecified	2
The Redline Stealer Malware is associated with Ducktail. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	Unspecified	2

Source Document References

Information about the Ducktail Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Vietnamese Hackers Hit Digital Marketers With Info Stealers
CERT-EU	a year ago	New NodeStealer Targeting Facebook Business Accounts and Crypto Wallets
CERT-EU	a year ago	DarkGate Gained Popularity for its Covert Nature and Antivirus Evasion
CERT-EU	a year ago	DarkGate Internals
Secureworks	2 years ago	The Growing Threat from Infostealers
CERT-EU	a year ago	Vietnamese hackers attack UK, US and India with DarkGate malware
CERT-EU	a year ago	Vietnamese threat actors linked to DarkGate malware campaign
CERT-EU	a year ago	Fake Corsair job offers on LinkedIn push DarkGate malware
CERT-EU	a year ago	Vietnamese Hackers Target U.K., U.S., and India with DarkGate Malware
CERT-EU	a year ago	Hackers target US Facebook biz accounts with potent malware cocktail
BankInfoSecurity	a year ago	Vietnamese Hackers Hit Digital Marketers With Infostealers
CERT-EU	a year ago	DarkGate attacks linked to Vietnam-based cyber criminals – Global Security Mag Online
CERT-EU	a year ago	DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals
CERT-EU	a year ago	Researchers uncover DarkGate malware's Vietnamese connection - Help Net Security
Checkpoint	a year ago	BYOS - Bundle Your Own Stealer - Check Point Research
CERT-EU	a year ago	Hackers continue to distribute malware through hacked verified pages on Facebook
CERT-EU	a year ago	Criminals target businesses with malicious extension for Meta's Ads Manager and accidentally leak stolen accounts
CERT-EU	a year ago	Python versions of stealer malware discovered targeting Facebook business accounts
Securityaffairs	2 years ago	Facebook warns of new information-stealing malware NodeStealer
BankInfoSecurity	a year ago	Vietnamese Hackers Hit Digital Marketers With Info Stealers