DUCKTAIL malware campaign targeting Facebook business and ads accounts is back

A group of attackers, likely based in Vietnam, that specializes in targeting employees with potential access to Facebook business and ads management accounts, has re-emerged with changes to its infrastructure, malware, and modus operandi after being initially outed a few months ago.

Dubbed DUCKTAIL by researchers from WithSecure, the group uses spear phishing to target individuals on LinkedIn who have job descriptions that could suggest they have access to manage Facebook business accounts. More recently, the attackers were also observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for attackers’ financial gain.

DUCKTAIL attackers do their research

The account abuse is achieved using a victim’s browser through a malware program delivered under the guise of documents related to brands, products, and project planning. The attackers first build a list of companies that have business pages on Facebook. They then search for employees on LinkedIn and other sources who work for those companies and have job titles that could provide them with access to those business pages. These include managerial, digital marketing, digital media, and human resource roles.

The final step is to send a link to them with an archive that contains the malware masquerading as a .pdf, alongside images and videos that appear to be part of the same project. Some of the file names seen by the researchers include project “development plan,” “project information,” “products,” and “new project L’Oréal budget business plan.” Some of the files included country names, suggesting the attackers customize them for every victim and country based on their reconnaissance. The identified victims were spread around the world, so the attackers don’t target one particular region.

It’s believed the DUCKTAIL group has been operating this campaign since the second half of 2021. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset.

Attackers switch to GlobalSign as certificate authority

Malware samples analyzed earlier this year were…