extensions

Malware that steals Facebook accounts

How attackers use infected archives and malicious browser extensions to steal Facebook Business accounts.

Alanna Titterington
November 22, 2023

Our researchers have discovered a new version of malware from the Ducktail family. Cybercriminals are using it to target company employees who either hold fairly senior positions or work in HR, digital marketing, or social-media marketing. Their ultimate goal is to hijack Facebook Business accounts, so it makes sense that the attackers are interested in folks most likely to have access to them. Today, we talk about how attacks occur, what’s unusual about them and, of course, how to protect yourself.

Bait and malicious payload

What the cybercriminals behind Ducktail do is send out malicious archive to their potential victims. To lull the recipient’s vigilance, the archives contain bait in the form of theme-based images and video files on a common topic. For example, the theme of the most recent campaign (March to early October 2023) was fashion: emails were sent out in the name of big fashion industry players with archives containing photos of items of clothing.

However, inside these archives were also executable files. These files had PDF icons and very long file names to divert the victim’s attention from the EXE extension. Additionally, the names of the fake files appeared to be carefully chosen for relevance so as to persuade the recipients to click on them. In the fashion-themed campaign, the names referred to “guidelines and requirements for candidates”, but other bait like, say, price lists or commercial offers, can be used as well.

Contents of a malicious Ducktail archive

The malicious Ducktail archive contains a file that looks like a PDF but is in fact an EXE

After clicking the disguised EXE file, a malicious script runs on the target device. Firstly, it does indeed display the contents of some PDF file embedded in the malware code, with the hope that the victim doesn’t smell a rat. At the same time, the malware scans all the shortcuts on the desktop, the Start menu, and the Quick Launch toolbar. It searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, Brave… Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file. Five minutes later, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts.

Malicious browser extension

After the user clicks the shortcut, a malicious extension is installed in the browser, where it convincingly masquerades as Google Docs Offline, using the exact same icon and description (though only in English, which can give away the fake in some regions).

The malicious extension masquerading as Google Docs Offline (left), and the real Google Docs Offline extension (right) in the Google Chrome browser

Once installed and running, the malicious extension starts constantly monitoring all tabs opened by the user in the browser and sending information about them to the attackers’ C2 server. If it finds an address associated with Facebook among the opened tabs, the malicious extension checks for Ads and Business accounts and then hijacks them.

The extension steals information from Facebook accounts logged into on the victim’s device, as well as active session cookies stored by the browser, which can be used to sign in to the accounts without authentication.

The group behind the malware has reportedly been active since 2018. Several research teams believe it has Vietnamese origin. The group’s distribution of Ducktail can be pinpointed to 2021.

How to guard against Ducktail

To protect against Ducktail and similar threats, employees need to simply observe basic digital hygiene; in particular:

Never download suspicious archives on work computers — especially if the links come from untrusted sources.
Carefully check the extensions of all files downloaded from the internet or email before opening them.
Never click on a file that looks like a harmless document but has an EXE extension — this is a clear sign of malware.
Always install reliable protection on all work devices.This will warn you of potential danger and defeat any attacks in time. Our solutions detect this threat with the verdict HEUR:Trojan.Win64.Ducktail.gen.
You can find indicators of compromise as well as more technical details on this malware in the respective Securelist blog post.

Transatlantic Cable podcast, episode 324

Episode 324 of the Kaspersky podcast looks at Meta and Google in the docks, more on deep-fakes & port operator pulls internet after a cyberattack.

Privacy & Kids

TARGETED SECURITY SOLUTIONS

Malware that steals Facebook accounts

Bait and malicious payload

Malicious browser extension

How to guard against Ducktail

Dangerous browser extensions

Browser extensions: more dangerous than you think

Transatlantic Cable podcast, episode 324

Tips

Advertisers sharing data about you with… intelligence agencies

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia