Threat Research

Ducktail malware spreading through fake clothing job ads

SecureList

A 2023 Ducktail campaign targeted marketing professionals with spearphishing archives that delivered a Delphi-based infostealer and a malicious Chrome extension designed to take over Facebook business and ads accounts. The attack used a PowerShell dropper, an injected DLL that modifies Chromium shortcuts to auto-load the extension, and exfiltrated cookies and credentials to Vietnam-based C2 while leveraging 2fa[.]live to bypass MFA. #Ducktail #FacebookBusiness #2fa.live #NordVPN

Keypoints

  • Delivery via spearphishing archives impersonating clothing companies and job ads targeting marketing professionals.
  • Malicious executable (disguised with a PDF icon) drops param.ps1 and a PDF decoy to C:UsersPublic, opens the decoy, pauses, then terminates Chrome.
  • Parent executable writes libEGL.dll to C:UsersPublicLibraries and loads it; the DLL scans LNK shortcuts and appends a –load-extension argument to Chromium-based browser shortcuts.
  • Malicious Chrome extension is deployed to a user-profile extension folder (using a directory name identical to NordVPN’s extension), disguised as Google Docs Offline, and contains obfuscated scripts that harvest open tabs, cookies, and account details.
  • Extension abuses Facebook API calls and the 2fa[.]live service to bypass two-factor authentication and allows attackers to hijack Facebook ads and business accounts; stolen data is forwarded to Vietnam-registered C2 domains.
  • Some runtime strings are AES-CBC encrypted (key “gnghfn47n467n43b”, IV “dakfhskljh92384h”) and a corrupted jquery-3.3.1.min.js is placed in the extension folder; the campaign samples were written in Delphi (not .NET).

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Used to deliver the archive containing the malicious executable and decoy PDF (‘The campaign saw the bad actor send out an archive containing images of new products by bona fide companies along with a malicious executable disguised with a PDF icon.’).
  • [T1176] Browser Extensions – Persistence achieved by installing a malicious extension into the Chrome user profile and forcing browsers to load it (‘the malware would install a browser extension capable of stealing Facebook business and ads accounts’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The dropper writes and runs a PowerShell script param.ps1 to open the decoy and orchestrate process actions (‘the malicious file saves a PowerShell script named param.ps1 and a PDF decoy locally to C:UsersPublic. The script uses the default PDF viewer… pauses for five minutes, and then terminates the Chrome browser process.’).
  • [T1129] Shared Modules – Use of a malicious library (libEGL.dll) loaded by the parent executable to perform shortcut modification and extension loading (‘the parent executable saves a malicious library named libEGL.dll to C:UsersPublicLibraries and then loads it. When launched, the library goes over every LNK file… altering the launch string for all Chromium-based browsers’).
  • [T1204.002] User Execution: Malicious File – Victim opens the attachment believing it to be a PDF/job document, triggering the infection (‘When started, the malware would open a real, embedded PDF file that contained the job details.’).
  • [T1539] Steal Web Session Cookie – The extension collects cookies and account session data from the browser to hijack Facebook sessions (‘the extension snatches cookies and details of accounts that the victim is signed in to on the device.’).
  • [T1583.001] Acquire Infrastructure: Domains – Attackers used domains registered (Vietnam) as C2 for exfiltration and control (‘Stolen credentials and cookies are forwarded to a C&C server registered in Vietnam.’).
  • [T1589] Gather Victim Identity Information – Campaign targeted marketing professionals and harvested account-related info for monetization (‘targeted marketing professionals… the attack was tailored to target marketing professionals looking for a career change.’).
  • [T1598.002] Phishing for Information: Spearphishing Attachment – Phishing attachments used to trick victims into revealing credentials or executing payloads (‘The campaign saw the bad actor send out an archive… along with a malicious executable disguised with a PDF icon.’).
  • [T1027] Obfuscated Files or Information – Core extension script and other components are obfuscated and some strings are AES-encrypted to hinder analysis (‘The core exception script is obfuscated.’; ‘Some of the library strings required for the malicious code to run are encrypted with the AES-CBC key “gnghfn47n467n43b” and the initialization vector “dakfhskljh92384h”.’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Extension communicates with C2 servers over web protocols to exfiltrate data and receive instructions (‘constantly sends the details of all open browser tabs to the command-and-control (C&C) server… Stolen credentials and cookies are forwarded to a C&C server’).
  • [T1132.001] Data Encoding: Standard Encoding – Data encoding used for communications to C2 (noted in MITRE table as part of C2/exfiltration techniques).
  • [T1041] Exfiltration Over C2 Channel – Credentials, cookies and other harvested data are sent to attacker-controlled C2 domains (‘Stolen credentials and cookies are forwarded to a C&C server registered in Vietnam.’).

Indicators of Compromise

  • [File Hashes] Malware samples – c82b959d43789d3dbf5115629c3c01fa8dd599fbec36df0f4bc5d0371296545a, 2b3decf08bf9223fb3e3057b5a477d35e62c0b5795a883ceaa9555ca7c28252f, and 21 more hashes.
  • [C2 Domains] Command-and-control domains used for exfiltration – dauhetdau[.]com, motdanvoi20232023[.]com, voiconprivatesv2083[.]com, cavoisatthu2023asd[.]com.
  • [File Names] Dropped and installed files – param.ps1 (PowerShell dropper), libEGL.dll (malicious library), jquery-3.3.1.min.js (corrupted script in extension folder).
  • [Paths / Shortcuts] Installation and persistence locations – C:UsersPublic (param.ps1 and decoy PDF), C:UsersPublicLibrarieslibEGL.dll, and extension folder C:Users%USERNAME%AppDataLocalGoogleChromeUser Datafjoaledfpmneenckfbpdfhkmimnjocfa (uses NordVPN-like directory name).
  • [Decoy / Icons] Social engineering artifacts – malicious executable disguised with a PDF icon and extension impersonating Google Docs Offline (used to convince users to trust/ignore the extension).

In the observed campaign, attackers packaged a malicious executable inside spearphishing archives mimicking clothing-company job materials. When executed, the payload drops a PowerShell script (param.ps1) and a decoy PDF to C:UsersPublic, opens the decoy with the default PDF viewer, waits, and then terminates Chrome to prepare the environment for the next stage.

The parent executable writes and loads a malicious library (libEGL.dll) into C:UsersPublicLibraries; this DLL enumerates LNK shortcuts in Start Menu, Quick Launch and desktop locations and appends a Chromium launch argument to auto-load a local extension (–load-extension=”C:Users%USERNAME%AppDataLocalGoogleChromeUser Datafjoaledfpmneenckfbpdfhkmimnjocfa”). The malware also drops extension files (obfuscated core script, corrupted jquery-3.3.1.min.js) into that folder and uses AES-CBC-encrypted strings (key “gnghfn47n467n43b”, IV “dakfhskljh92384h”) to conceal runtime values.

The installed extension continuously reports open tabs to its C2 and, upon detecting Facebook-related pages, harvests cookies and account details to seize business and ads accounts. To bypass two-factor authentication the extension leverages Facebook API calls and the 2fa[.]live service to obtain one-time codes, then forwards stolen credentials and cookies to Vietnam-registered C2 domains for monetization or resale. Samples analyzed were authored in Delphi rather than .NET, indicating a new variant of Ducktail.

Read more: https://securelist.com/ducktail-fashion-week/111017/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint