New Data Theft Malware Is Attacking Facebook Business Accounts: All You Need To Know
Most of the phishing traps for this campaign are related to games, subtitle files, pornography and even cracked MS Office apps. These are found in ZIP folders on legit file hosting services.
A novel Ducktail phishing campaign is spreading a new kind of Windows information-stealing malware written in PHP that is being used to steal Facebook accounts, browser data and even crypto wallets, as per a report by Bleeping Computer.
Ducktail phishing campaigns were first discovered by researchers from WithSecure in July 2022, with the attacks being linked to Vietnamese hackers.
They were based on social-engineering attacks via LinkedIn, injecting .NET Core malware in the form of a PDF document claiming to contain details about a marketing project.
The malware¡¯s primary target was info that¡¯s stored in browsers, with prime focus on Facebook Business account data which was exfiltrated to a private Telegram channel which worked as a C2 server. The stolen credentials are then used for financial fraud or even malicious advertising.
According to the report, new signs have been spotted involving a refreshed Ducktail campaign that makes use of a PHP script to act as a Windows information-stealing malware, replacing the older NET Core information-stealing malware.
Most of the phishing traps for this campaign are related to games, subtitle files, pornography and even cracked MS Office apps. These are found in ZIP folders on legit file hosting services.
After its execution, the installation happens in the background, while the victim gets to see ¡®checking application compatibility¡¯ pop-ups, where scammers will send a fake app to install.
The malware gets extracted to the %LocalAppData%PackagesPXT folder which will include a PHP.exe local interpreter.
The malware functions persistently by adding scheduled tasks on host that are needed to be executed every day at regular intervals. Moreover, a generated TMP file runs a process in parallel to boot the stealer component.
Moreover, the data collected now isn't exfiltrated to Telegram, instead it is stored in a JSON website that also acts as a host for account tokens and necessary data to execute on-device fraud.
The report warns users to be wary of the IMs they get on LinkedIn and don¡¯t download files willy-nilly, especially those in the garb of tempting cracked software, game mods and even cheats.
For more in the world of technology and science, keep reading Indiatimes.com.