New Ducktail malware targets Facebook accounts to steal data

Share post:

A malware known as Ducktail, which steals Windows information, is being used to steal Facebook accounts, browsing data and crypto wallets.

According to the researchers, most of the counterfeit baits for the campaign relate to games, subtitle files, adult videos and cracked MS Office applications that are hoisted in ZIP format on legitimate services.

Ducktail is written in PHP and was first discovered in July 2022 by researchers from WithSecure. For the new strain, Ducktail has replaced the older .NET Core information-stealing malware used in previous campaigns with one written in PHP.

On Ducktail’s infection chain, once executed, the installation takes place in the background, while the victim sees fake Checkjng Application Compatibility popups in the frontend, waiting for a fake application sent by the scammers to install.

After that, the malware is extracted to the %LocalAppData%\PXT folder, which contains the PHP.exe local interpreter, various scripts used to steal information and supporting tools.

While the targeted data includes extensive Facebook account information, sensitive data stored in browsers, browser cookies, cryptocurrency wallets and account information, and basic system data, the information collected is not exfiltrated to Telegram, but is stored on a JSON website that also stores account tokens and data necessary for fraud on the device.

The sources for this piece include an article in BleepingComputer.


Related articles

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

Cyber Security Today, Week in Review for week ending Friday, June 14, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, June 14th,...

Cyber Security Today, June 14, 2024 – Employee downloaded a file that led to hospital chain’s ransomware attack

An employee downloaded a file that led to hospital chain's ransomware attack Welcome to Cyber Security Today. It's Friday...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways