The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.
"An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language," Kaspersky said in a report published last week.
Ducktail, alongside Duckport and NodeStealer, is part of a cybercrime ecosystem operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims' login cookies and ultimately taking control of their accounts.
Such attacks primarily single out users who may have access to a Facebook Business account. The fraudsters then use the unauthorized access to place advertisements for financial gain, perpetuating the infections further.
In the campaign documented by the Russian cybersecurity firm, potential targets looking for a career change are sent archive files containing a malicious executable that's disguised with a PDF icon to trick them into launching the binary.
Doing so results in the malicious file saving a PowerShell script named param.ps1 and a decoy PDF document locally to the "C:\Users\Public" folder in Windows.
"The script uses the default PDF viewer on the device to open the decoy, pauses for five minutes, and then terminates the Chrome browser process," Kaspersky said.
The parent executable also downloads and launches a rogue library named libEGL.dll, which scans the "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" and "C:\ProgramData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\" folders for any shortcut (i.e., LNK file) to a Chromium-based web browser.
The next stage entails altering the browser's LNK shortcut file by suffixing a "--load-extension" command line switch to launch a rogue extension that masquerades as the legitimate Google Docs Offline add-on to fly under the radar.
The extension, for its part, is designed to send information about all open tabs to an actor-controlled server registered in Vietnam and hijack the Facebook business accounts.
Google Sues Scammers for Using Bard Lures to Spread Malware
The findings underscore a strategic shift in Ducktail's attack techniques and come as Google filed a lawsuit against three unknown individuals in India and Vietnam for capitalizing on the public's interest in generative AI tools such as Bard to spread malware via Facebook and pilfer social media login credentials.
"Defendants distribute links to their malware through social media posts, ads (i.e., sponsored posts), and pages, each of which purport to offer downloadable versions of Bard or other Google AI products," the company alleged in its complaint.
"When a user logged into a social media account clicks the links displayed in Defendants' ads or on their pages, the links redirect to an external website from which a RAR archive, a type of file, downloads to the user's computer."
The archive files include an installer file that's capable of installing a browser extension adept at pilfering victims' social media accounts.
Earlier this May, Meta said it observed threat actors creating deceptive browser extensions available in official web stores that claim to offer ChatGPT-related tools and that it detected and blocked over 1,000 unique URLs from being shared across its services.
