A suspected Vietnam-based group of attackers specializing in targeting employees with potential access to Facebook business and ad management accounts has reemerged with changes to its infrastructure, malware, and modus operandi after first being outed a few months ago .
The group, dubbed DUCKTAIL by researchers at WithSecure, uses spear phishing to target people on LinkedIn who have job descriptions that might indicate they have access to Facebook business account management. More recently, the attackers have also been observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for the financial benefit of the attackers.
DUCKTAIL attackers conduct their investigation
Account abuse occurs through a victim’s browser by a malware program delivered under the guise of brand, product, and project planning documents. The attackers first create a list of companies that have business pages on Facebook. They then search LinkedIn and other sources for employees who work for those companies and have job titles that could get them access to those company pages. This includes management, digital marketing, digital media and human resources functions.
The final step is to send them a link with an archive containing the malware disguised as a PDF, along with images and videos that appear to be part of the same project. Some of the filenames the researchers saw include Project “Development Plan”, “Project Information”, “Products” and “New Project L’Oréal Budget Business Plan”. Some of the files contained country names, suggesting the attackers customize them for each victim and country based on their intelligence. The identified victims were spread all over the world, so the attackers are not targeting a specific region.
DUCKTAIL Group is believed to have been running this campaign since the second half of 2021. After WithSecure uncovered their operation in August of this year, the operation was shut down and the attackers overhauled some of their tools.
Attackers switch to GlobalSign as a certificate authority
Malware samples analyzed earlier this year were digitally signed using a legitimate code signing certificate obtained by Sectigo on behalf of a Vietnamese company. Because this certificate was reported and revoked, the attackers switched to GlobalSign as their certificate authority. While they continued to request certificates from multiple CAs on behalf of the original company, they also created six other companies, all in Vietnamese, and received code signing certificates with three of them. Code Signing Certificates require Extended Validation (EV), which involves verifying the identity of the applicant through various documents.
“As of this writing, the threat actor has adapted to certificate revocations by using timestamps as a countersigning method via DigiCert,” WithSecure researchers said in a new report released this week.
The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and compiled using the framework’s single-file feature, which bundles all required libraries and files into a single executable, including the main assembly. This ensures that the malware can run on any Windows computer, regardless of whether the .NET runtime environment is installed or not. Since August 2022, when the campaign was discontinued, WithSecure researchers observed several development examples of DUCKTAIL uploaded to VirusTotal from Vietnam.
One of the samples was compiled with .NET 7’s NativeAOT, which provides functionality similar to .NET Core’s single file feature, allowing binaries to be precompiled natively. However, NativeAOT has limited support for third-party libraries, so the attackers resorted to .NET Core.
The bad actors have experimented
Other experiments have also been observed, such as B. the inclusion of anti-analysis code from a GitHub project that was never actually activated, or the ability to instead send a list of email addresses as a .txt file from the command and control server hardcoding them into the malware and launching a dummy file when the malware is run to make the user less suspicious – document (.docx), spreadsheet (.xlsx) and video (.mp4) dummy files were observed.
The attackers are also testing multi-stage loaders to deliver malware, e.g. B. an Excel add-in file (.xll) that extracts a secondary loader from an encrypted blob and finally downloads the Infostealer malware. Researchers also identified a downloader written in .NET that they associate with high confidence with DUCKTAIL, which runs a PowerShell command that downloads Discord’s infostealer.
The Infostealer malware uses Telegram channels for command and control. The attackers have been better at blocking these channels since they were outed in August, and some channels now have multiple admins, which could indicate they are running an affiliate program similar to ransomware gangs. “This is further amplified by the increased chat activity and the new file encryption mechanism, which ensures that only specific users can decrypt specific exfiltrated files,” the researchers say.
Once deployed, the DUCKTAIL malware scans for browsers installed on the system and the path to their cookie store. It then steals all stored cookies, including all Facebook session cookies stored in it. A session cookie is a small identifier that is set on a browser by a website after authentication has been successfully completed, to remember that the user has been logged in for a specific period of time.
The malware uses the Facebook session cookie to interact directly with Facebook pages or to send requests to the Facebook Graph API to get information. This information includes name, email, birthday, and user ID for personal accounts; Name, verification status, ad limit, pending users and customers of Facebook business pages that the personal accounts have access to; Name, ID, Account Status, Ad Pay Cycle, Currency, Adtrust DSL, and Amount Spent for all linked Facebook ad accounts.
The malware also verifies that the hijacked accounts have two-factor authentication enabled and uses the active session to obtain backup codes for 2FA if enabled. “Information stolen from the victim’s computer also allows the attacker to attempt these activities (as well as other malicious activities) from outside the victim’s computer,” the researchers said. “Information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, and general account information (such as name and birthday) could be used to disguise the victim and impersonate the victim.”
The malware aims to attempt to add attacker-controlled email addresses to the hijacked Facebook business accounts with the highest possible roles: Administrator and Financial Editor. According to Facebook owner Meta’s documentation, admins have full control over the account, while financial editors have control over the credit card information stored in the account, as well as transactions, bills, and expenses for the account. You can also add external companies to saved credit cards and monthly bills so those companies can use the same payment method.
Impersonate legitimate Account Manager identities
“In cases where the targeted victims did not have sufficient access for the malware to add the attacker’s email addresses to the intended business accounts, the attacker relied on information gleaned from the victims’ computers and Facebook accounts exfiltrated to impersonate them and achieve their post-compromise goals through hands-on activities,” the researchers said in their new report.
In one case investigated by WithSecure Incident Response Forces, the victim was using an Apple computer and had never previously logged into Facebook from a Windows computer. No malware was found on the system and the initial access vector could not be determined. It’s unclear if this is related to DUCKTAIL, but researchers determined the attackers were also from Vietnam.
Facebook Business admins are advised to periodically review the users added under Business Manager > Settings > People and revoke access to any unknown users who have been granted admin access or financial editor roles.
“During our investigation, the WithSecure Incident Response team determined that business history logs and target individuals’ Facebook data were relevant to the analysis of the incident,” the researchers said. “However, with logs relating to the individual’s Facebook account, there are often inconsistencies between what is visible on the web portal and what you would receive if you downloaded a copy of your data. As a recommendation to other investigators, the WithSecure Incident Response team strongly recommends making a local copy of business history logs and requesting a copy of user data for their account as soon as possible.”
Copyright © 2022 IDG Communications, Inc.