Vietnamese Threat Actors Target Marketing Professionals in India
Ducktail Stealer Malware Goes After Facebook Business Accounts
Overt Operator
November 14, 2023
Vietnamese threat actors known for their involvement in the Ducktail stealer malware have been linked to a new campaign targeting marketing professionals in India. The campaign, which ran between March and early October 2023, aims to hijack Facebook business accounts, according to a report published by Kaspersky.
One notable feature of this campaign is the use of Delphi as the programming language, unlike previous campaigns that relied on .NET applications. Ducktail, along with Duckport and NodeStealer, are part of a cybercrime ecosystem operated by Vietnamese hackers. These attackers primarily use sponsored ads on Facebook to propagate malicious content and deploy malware capable of stealing victims' login cookies and gaining control of their accounts.
The main targets of these attacks are users with access to a Facebook Business account. Once unauthorized access is gained, the fraudsters use it to place advertisements for financial gain, further spreading the infections.
In the campaign documented by Kaspersky, potential victims looking for job opportunities receive archive files containing a malicious executable disguised as a PDF file. The intention is to trick them into launching the binary.
Upon execution, the malicious file saves a PowerShell script named param.ps1 and a decoy PDF document locally to the "C:\Users\Public" folder in Windows. The script then utilizes the default PDF viewer on the device to open the decoy, pausing for five minutes before terminating the Chrome browser process.
Furthermore, the parent executable downloads and launches a rogue library named libEGL.dll, which scans specific folders for shortcuts (LNK files) to a Chromium-based browser. This indicates that the attackers are targeting users who frequently use such browsers.
The motive behind these attacks is clear - financial gain through unauthorized advertisements. By compromising Facebook Business accounts, the hackers can manipulate the platform for their own benefit, perpetuating the infections and potentially causing significant harm to both individuals and businesses.
It is crucial for users to remain vigilant and exercise caution when opening files or clicking on suspicious links. Employing robust cybersecurity measures and keeping software up to date can help prevent falling victim to such attacks.
As cyber threats continue to evolve, it is necessary for individuals and organizations to stay informed about the latest tactics employed by malicious actors. By staying educated and implementing strong security practices, users can better protect themselves and their valuable digital assets from cybercriminals.