Looking for free/cracked application installers for legitimate apps, games, subtitle files, and others can be dangerous as Zscaler ThreatLabz research team recently uncovered hackers leveraging those to distribute malware in the wild.
What do we know?
- The latest campaign distributes a PHP version of information-stealing malware called Ducktail to exfiltrate sensitive information saved as browser credentials, Facebook account information, advertising accounts, and more.
- The campaign has been attributed to an unnamed Vietnamese threat actor who targets multiple indivuduals with admin or finance access to Facebook Business accounts.
- The threat actors keep data on a newly hosted website in JSON format which is used and called later on to perform stealing activities on the victim’s machine. After completing the theft, the same website is used to store the stolen data.
The financially motivated cybercriminal operation, consisting of Ducktail malware, was first discovered in late July 2022.
- The older malware version (written in .NetCore) targeted individuals with managerial, digital marketing, digital media, and human resources roles in companies.
- Previously the group had a narrow targeting scope and used to chose its victims carefully.
Ducktail operators are consistently abusing social media to host, distribute, and execute various functions to steal credentials or any key information from systems. Moreover, the subsequent launching of different versions of the Ducktail malware in a short time span shows how desperate malware operators are. Facebooks users must scrutinize activities around their account.