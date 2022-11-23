“DUCKTAIL”, a Vietnam-based cyber crime operation discovered by WithSecure (formerly known as F-Secure business) earlier this year, has continued to evolve their operations, according to a new analysis.

Since 2021, DUCKTAIL has used LinkedIn to target individuals and organisations operating on Facebook's Ads & Business platform in order to hijack Facebook Business accounts.

Following the exposure of DUCKTAIL’s activities in a report published during the summer, the group has changed the way they operate to evade defences and expand its operations.

"We don't see any signs of DUCKTAIL slowing down soon, but rather see them evolve rapidly in the face of operational setbacks. Up to this point, the operational team behind DUCKTAIL was seemingly small, but that has changed," said Mohammad Kazem Hassan Nejad, Researcher for WithSecure Intelligence.

Recent DUCKTAIL activity observed since early September featured several changes to their mode of operation, including:

New avenues through which to spear-phish targets, such as WhatsApp.

Changes to malware capabilities with a more robust way of retrieving the attacker-controlled e-mail addresses and making the malware look more legitimate by opening dummy documents and video files on launch.

Continuous efforts at defence evasion by changing up file format and compilation, as well as countersigning certificates.

Further resource development and operational expansion by setting up additional fake businesses in Vietnam and onboarding affiliates into the operation.

“Ransomware attacks get a lot of attention, but threats such as DUCKTAIL can cause substantial financial and branding damage and shouldn’t be overlooked,” said Paolo Palumbo, Vice-President of WithSecure Intelligence. “With the increased activity, new affiliates and fake businesses, we expect an increase in DUCKTAIL related incidents for the foreseeable future.”

DUCKTAIL in the trenches

WithSecure’s incident response team has helped several victim organisations respond to attacks from DUCKTAIL and other threats targeting Facebook’s Ads & Business platform. Losses from these attacks ranged from one to six hundred thousand dollars of advertising credits.

According to WithSecure Global Head of Incident Response, John Rogers, these kinds of threats are challenging for companies to manage due to the lack of separation between personal and business accounts.

“Using the same resources for both personal and business can be quite problematic. For example, investigating a possible DUCKTAIL incident may require logs about an individual’s Facebook history, which can have many unanticipated operational, ethical and legal implications. It’s an issue that concerns organisations and their employees, so they both need to understand the risks in these situations,” he said.

Defenders can take the following steps to protect themselves from DUCKTAIL and similar threats:

Raise awareness on spear-phishing among users with access to Facebook/Meta business accounts;

Enforce application allowing listing to prevent unknown executables from running;

Use EDR/EPP solutions to prevent and detect the malware in the earlier stages of the attack life cycle;

Ensure managed or personal devices used with company Facebook accounts have basic hygiene and protection in place;

Use private browsing to authenticate each work session when accessing Facebook Business accounts (so the session is forgotten after finishing, which prevents cookies from being stolen and abused);

Follow Meta's recommended security practices; and

Download and analyse the relevant logs as quickly as possible when responding to a suspected incident.

The full analysis is available at https://labs.withsecure.com/publications/ducktail-returns.

Additional information on DUCKTAIL is available at https://labs.withsecure.com/publications/ducktail.