DUCKTAIL is a .NET-based infostealer from Vietnam that targets Social Media Business/Ads accounts to harvest cookies and hijack sessions for ad fraud. It concentrates on HR and Marketing professionals, uses social engineering and ZIP-delivery via file-sharing services, and exfiltrates stolen data through Telegram with ongoing background activity. Hashtags: #DUCKTAIL #Vietnam #Cyble #CRIL #Telegram #AVALONORGANICS
Keypoints
- DUCKTAIL is designed to steal browser cookies and social media session data to take control of Social Media Business accounts for financial gain.
- Threat Actors from Vietnam have actively developed and distributed DUCKTAIL since late 2021, targeting HR and Marketing professionals in apparel-related industries.
- Initial infection relies on social engineering and popular file-sharing services (Dropbox, Google Drive, OneDrive) to deliver a ZIP payload.
- The payload comprises two executes named to appeal to Marketing roles and is disguised with Word/PDF icons to look legitimate.
- Once executed, DUCKTAIL enumerates browsers, collects cookies/tokens, and harvests browser data via registry checks to identify targets.
- Attacker use includes hijacking Social Media Business accounts and attempting 2FA recovery codes when 2FA is required.
- Data is exfiltrated via Telegram using the Telegram.Bot library, and the malware runs an infinite background exfiltration loop.
MITRE Techniques
- [T1204] User Execution – The payloads are executed by the user after download; “The two executable files, namely ‘Performance Marketing Manager Salary and Benefits.exe’ and ‘The role of Performance Marketing Manager.exe’, specifically target Marketing professionals.”
- [T1047] Windows Management Instrumentation – The operation uses a compiled executable to perform actions on the host; “The samples associated with these operations are coded in the .NET core and compiled as a single executable file containing libraries and files, including the main assembly.”
- [T1059] Command and Scripting Interpreter – The payload runs as a standalone executable written in .NET to carry out its tasks; “The samples associated with these operations are coded in the .NET core and compiled as a single executable file containing libraries and files, including the main assembly.”
- [T1497] Virtualization/Sandbox Evasion – The operation employs updates and behavior aimed at evading security measures used by Social Media platforms; “constant updates enable it to bypass most Social Media platforms’ security measures, specifically targeting advertising and business accounts.”
- [T1027] Obfuscated Files or Information – The malware uses hardcoded URL strings and other obscuring elements; “Figure 4 – Hardcoded URL strings present in the malware.”
- [T1003] OS Credential Dumping – The malware collects credentials such as cookies and tokens from browsers; “extracts all stored cookies, including any Social Media session cookies that might be present.”
- [T1057] Process Discovery – The malware conducts system checks to understand the running environment; “conducts a comprehensive scan of the victim’s computer.”
- [T1012] Query Registry – It retrieves installed browser details from the registry key HKLMSOFTWAREWOW6432NodeClientsStartMenuInternet to learn name, path, and icon path.
- [T1082] System Information Discovery – It gathers information about installed browsers and system state during reconnaissance.
- [T1083] File and Directory Discovery – The loader inspects a ZIP payload’s contents (images and executables) as part of its setup.
- [T1518] Security Software Discovery – The malware checks environmental indicators that could reveal security controls present; (illustrated by the focus on evasion and credential access)
- [T1006] Data from Local System – The malware collects data from the local machine, including personal details of victims (names, birthdays, emails, user IDs).
Indicators of Compromise
- [IOC Type] MD5 SHA1 SHA256 – 618072b66529c1a3d8826b2185048790, 936139fc7f302e3895f6aea0052864a6cb130c59, and 2650e6160606af57bd0598c393042f60c65e453f91cde5ecc3d0040a4d91214d (Project Information And Salary Details At AVALON ORGANICS.zip)
- [IOC Type] MD5 SHA1 SHA256 – 691ca596a4bc5f3e77494239fb614093, 20f53032749037caa91d4b15030c2f763e66c14e, and f024e7b619d3d6e5759e9375ad50798eb64d1d4601f22027f51289d32f6dc0ca (The role of Performance Marketing Manager.exe)
- [IOC Type] MD5 SHA1 SHA256 – b4125e56a96e71086467f0938dd6a606, e692a626c6236332bd659abbd4b1479b860bf84a, and 385600d3fa3b108249273ca5fe77ca4872dee7d26ce8b46fe955047f164888e7 (Performance Marketing Manager Salary and Benefits.exe)
- [IOC Type] URL – Dropbox link to download payload – hxxps[:]//www[.]dropbox[.]com/s/ng04kf3c1x1nya1/Project%20Information%20And%20Salary%20Details%20At%20AVALON%20ORGANICS[.]zip?dl=1