The Zscaler ThreatLabz research team has bumped into a fascinating Ducktail phishing campaign. Never seen before Windows information-stealing malware written in PHP used to abduct Facebook accounts, browser data, and cryptocurrency wallets. In July 2022, researchers from With Secure discovered a Ducktail phishing campaign connected to Vietnamese hackers.
In the campaigns, .NET Core malware was placed as a PDF document pretending to contain marketing project details through social engineering attacks through LinkedIn. The malware targeted data from Facebook Business accounts, exfiltrating it to a private Telegram channel that served as a C2 server. Once stolen, these credentials are used to commit financial fraud or to advertise maliciously.
Using a PHP script as an information-stealing malware to exploit Windows, Zscaler has detected signs of new activity involving a refreshed Ducktail campaign.
Malware that steals PHP information
In late 2021 Ducktail info found that threat actors targeted higher-level employees who possessed access to their organization’s Facebook Business account in July 2022 to steal data and hijack the accounts.
Info-stealing malware restores the older .NET Core with the PHP in Ducktauil in the previous campaigns. This campaign’s fake bribes include games, subtitle files, adult videos, and cracked MS Office applications. Legitimate file hosting sites host these files in ZIP format.
As the scammers install the fake application, fake ‘Checking Application Compatibility’ pop-ups appear in the victim’s browser as the installation process occurs in the background.
For daily execution at consistent intervals, the PHP malware achieves resolution by adding scheduled tasks on the host. Parallel to this, a TMP file generates a stealer component that runs in parallel.
Ultimately, the malware will be extracted to the %LocalAppData%/Packages/PXT folder, containing PHP.exe, various scripts, and supporting tools.
Persistence is achieved by scheduling tasks on the host to run regularly. The stealer component is also launched simultaneously via a generated TMP file. In this case, the stealer’s code consists of an obfuscated (Base64) PHP script decoded directly on memory and without touching the disk, minimizing the risk of being detected.
Facebook account details, sensitive data stored in browsers, browser cookies, cryptocurrency wallet information, and basic system information are all included in the targeted data.
Now, collected information isn’t exfiltrated to Telegram but instead stored in a JSON website that contains account tokens and on-device fraud data.
How ESOF helps in Identifying and Remediating Malwares
To avoid installing the malware, we advise you not to click the suspicious links in the messages/emails; it leads to a system infection. Be alert while browsing the internet, as many malicious materials look legitimate. Also, we suggest you download anything from verified and certified websites.
TAC Security’s ESOF is an end-to-end vulnerability management platform. It provides a comprehensive view of vulnerabilities, threats, and risks, which the enterprise security team requires today. ESOF comprises three high-end products and VAPT service.
ESOF consists of :
- ESOF VMDR– Identity, Evaluate, Prioritize, and Mitigate all the dominant vulnerabilities and risks in real-time across the entire IT Landscape via an all-in-one platform.
- ESOF VMP– ESOF VMP provides an aggregate meter of risk that incorporates data from the widest view of organizational vulnerabilities.
- ESOF AppSec– A Unified Vulnerability Management Solution to Detect & Protect your Web and App Assets from risk-based vulnerabilities.
- ESOF VAPT Services– ESOF VAPT services constantly evolve as our security professionals are up-to-date with the latest vulnerabilities.
In everyday life, malware attacks are becoming very common because of the cyber criminals who are spreading all over the globe. Therefore, with the advanced malware analysis technique, TAC Security is developing products that help in remediating all sorts of vulnerabilities in your IT Infrastructure.
Download the Datasheet to know more about products under ESOF