Ducktail

Ductail Stealer

Name: Ducktail

• Type: Information Stealer
• Origin: Presumably Vietnam
• Active Since: Mid-2021, with origins traced back to 2018
• Primary Target: Facebook Business Accounts
• Method of Attack:
• Delivery: Phishing emails containing malicious archives (T1566.001: Phishing: Spearphishing Attachment) with images/videos as bait and executable files disguised as PDFs.
• Execution: Alters shortcuts to Chromium-based browsers to install a malicious browser extension (T1176: Browser Extensions), using PowerShell (T1059.001: Command and Scripting Interpreter: PowerShell).
• Capabilities:
• Steals Facebook account details and cookies, including hijacking Ads and Business accounts (T1539: Steal Web Session Cookie).
• Bypasses two-factor authentication.
• Geographical Impact: India, Kazakhstan, Ukraine, Germany, Portugal, Ireland, Greece, Jordan, Pakistan, Vietnam, UAE, USA, Peru, Chile.
• Motivation: Hijacking Facebook accounts for unauthorized advertising or sale on the black market.
• MITRE ATT&CK Techniques:
• T1566.001: Phishing: Spearphishing Attachment
• T1176: Browser Extensions
• T1059.001: Command and Scripting Interpreter: PowerShell
• T1129: Shared Modules
• T1204.002: User Execution: Malicious File
• T1539: Steal Web Session Cookie
• T1583.001: Acquire Infrastructure: Domains
• T1589: Gather Victim Identity Information
• T1598.002: Phishing for Information: Spearphishing Attachment
• T1027: Obfuscated Files or Information
• T1071.001: Application Layer Protocol: Web Protocols
• T1132.001: Data Encoding: Standard Encoding
• T1041: Exfiltration Over C2 Channel