Cyble Research and Intelligence Labs reports a new Malware-as-a-Service strain, DuckLogs, that bundles stealer, keylogger, clipper, and remote access capabilities for threat actors. It features a sophisticated web panel for building, monitoring, and deploying the malware, plus a multi-stage delivery chain and active C2 infrastructure across multiple domains. #DuckLogs #BunifuUI #MajorRevision #BkfFB #lovableduck #ilovetheducks #quackquack #smallduck
Keypoints
- DuckLogs is a Malware-as-a-Service that steals sensitive data (passwords, cookies, login data, crypto wallet details) and exfiltrates it to its C2 server.
- Threat actors advertise DuckLogs on cybercrime forums and offer three different pricing plans.
- The malware includes a sophisticated Web Panel for binary construction, victim monitoring, and log retrieval, plus a dropper builder to deliver the payload.
- Technical analysis reveals a multi-stage delivery chain starting with an obfuscated .NET module (Bunifu.UI.dll) that loads a second stage (MajorRevision.exe) via steganography, followed by final payload DuckLogs.exe injected via process hollowing.
- DuckLogs implements persistence (Startup folder), UAC/admin privilege escalation, and Windows Defender bypass, along with various defense-evasion and anti-analysis techniques.
- Modular functionality includes Stealer, Clipper, Keylogger, Disablers, File Grabber, and Remote Control, enabling data theft, crypto-wallet manipulation, and remote operations.
- C2 and IOCs include ducklogs.com and several related domains, plus multiple hashes and URLs associated with the BkfFB.exe and DuckLogs.exe payloads.
MITRE Techniques
- [T1059] PowerShell – The malware uses PowerShell-based commands; for example, it disables Windows Defender using a PowerShell command: “The malware executes the below PowerShell command to disable Windows Defender features in the Victims’ system.”
- [T1547] Startup Folder – The malware copies itself into the Startup folder to establish persistence: “Upon execution, the malware creates a copy of itself into the Startup folder to establish persistence.”
- [T1055] Process Injection – Final payload is injected into a new process via process hollowing: “Finally, it injects the payload by creating a new process with the parent file name (“BkfFB.exe”) using the process hollowing technique.”
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis and anti-detection checks are used to evade controlled environments: “multiple Anti-Analysis, and Anti-Detection checks to prevent the execution of the malware in a controlled environment.”
- [T1562] Impair Defenses – Windows Defender bypasses are implemented, including disabling defender features: “Windows Defender Bypass” with a command to uninstall Defender: “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” Uninstall-WindowsFeature -Name Windows-Defender
- [T1071] Application Layer Protocol – Data exfiltration to C2 domains over web services: “exfiltrates all sensitive data from the victims’ machine to its Command and Control (C&C) server ducklogs[.]com.”
Indicators of Compromise
- [Hash] MD5/SHA1/Sha256 – BkfFB.exe (Main file) – 5bbbef641b0d73309939c16a8bb1621b, c790ad50365158aecd4599ebab8db004bf9a9091, e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396
- [Hash] MD5/SHA1/Sha256 – DuckLogs.exe (Final payload) – 58a0f68310f775b4bd4ea251064ed667, 83c727335125f06b712cf4390bb9d265f77088a0, e15bf47074cc31f3445b3efb8ad75fac95ab085b5598cc82075902292ab8276b
- [Domain] – Ducklogs[.]com – C2
- [Domain] – lovableduck[.]ru, ilovetheducks[.]ru, quackquack[.]ru, smallduck[.]ru – Similar C2 domains
- [IP] – 179[.]43[.]187[.]84 – C2/IP
- [URL] – hxxp://lovableduck[.]ru/host/drops/eYjqq6Ezx/ee48v958r[.]exe, hxxp://ilovetheducks[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe, hxxp://quackquack[.]ru/host/drops/g6tujhiry/hjt50kzbo[.]exe – sample dropper/download URLs
Read more: https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/