Facebook Business accounts are now under attack via a new PHP version of the Ducktail malware strain.
New PHP version of Ducktail Malware puts Facebook users at risk
Facebook Business account holders are now exposed to a new threat, which comes in the form of a PHP variant of the Ducktail malware program.
ZScaler, a cloud security company, reported this new finding in a ZScaler blog post on October 13. The new PHP version is being spread among devices by “pretending to be a free/cracked software installer”. It also targets various platforms for infection, including Telegram and Microsoft Office apps.
In this new version of Ducktail, the operator has changed the malware execution method by converting a PHP script instead of the previously used .Net binary. After the app is installed, the victim will be told that it is “checking application compatibility”, when in reality two .tmp files are generated.
The second of these two files is capable of dropping the malicious code. After this, the file “performs two processes” to achieve both persistence and steal data.
Ducktail Malware has been around since 2021
The original version of the Ducktail malware was first discovered in late 2021 and was linked to a Vietnamese operator who used it to hack Facebook Business and Ads Manager accounts.
In the aforementioned blog post, ZScaler discussed the original Ducktail strain, which could “manipulate pages and access financial information”. The attacks were recognized as highly targeted and even had the ability to bypass Facebook’s security defenses. High-status users in a company were targeted in these attacks, as they were given advanced permissions.
Ducktail may also attempt to access two-factor authentication codes to avoid this extra layer of account protection. Various types of data are targeted by the Ducktail infostealer, including payment details, email addresses and client information.
User information is still at risk with PHP Infostealer
The PHP variant of Ducktail infostealer is also looking for sensitive data that can be exploited for financial gain. Even people with protective login measures can be at risk.
It appears that payment information is also the focus of this new PHP Ducktail malware, as well as email addresses, payment records, funding sources and account statuses.
Both Ducktail versions are very dangerous
The original Ducktail malware and the PHP variant share many similarities and pose a significant threat to Facebook Business accounts and the sensitive data they hold. Ducktail’s creator may continue to create subsequent versions of their original code to further improve the performance of their attacks. Time will tell if this turns out to be the case.
