New PHP version of Ducktail malware hijacks Facebook business accounts

A PHP version of information-stealing malware called Duck tail has been detected in the wild in the form of cracked installers for legitimate apps and games, according to Zscaler’s latest findings.

“Like older versions (.NetCore), the latest version (PHP) aims to exfiltrate sensitive information related to stored browser credentials, Facebook account information, etc.,” according to Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said.

Ducktail, which appeared on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware mainly designed to hijack Facebook business and advertising accounts.

The financially motivated cybercriminal operation was first documented in late July 2022 by Finnish cybersecurity company WithSecure (formerly F-Secure).

While previous versions of the malware used Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP variant discovered in August 2022 connects to a newly hosted website to store the data in JSON format.

Attack chains observed by Zscaler include embedding the malware in ZIP archive files hosted on file-sharing services such as Mediafire[.]com disguised as cracked versions of Microsoft Office, games and pornographic files.

Executing the installer, in turn, activates a PHP script that eventually launches the code responsible for stealing and exfiltrating data from web browsers, cryptocurrency wallets, and Facebook business accounts.

“It appears that the threat actors behind the Ducktail Stealer campaign are continuously making changes or improvements to the delivery mechanisms and approach to steal a variety of sensitive user and system information, targeting users in general,” the researchers said.