duke 2024 baseball commits

ducktail malware withsecure
WithSecure Countercept is an extension of your cyber security team, uplifting your ability to deter and resist attacks. Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. Dutch Pulls out stored information of browser cookies from the system. A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them. "Malware written in Rust often benefits from lower [antivirus] detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language," IBM Security X-Force researcher Charlotte Hammond said in a report published this week. WithSecure-Cybersicherheitsexperten bewerten die Cyberrisiken, denen Ihre Organisation ausgesetzt ist, und entwickeln Cybersicherheitslsungen, die auf Ihre Unternehmensziele abgestimmt sind. Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips. According to WithSecure, following the exposure of Ducktail's activities this summer, the threat actor has changed its tactics to expand its operations and evade detection. The information stealer can "steal information from the victim's Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles," Nejad says. WithSecure Labs: With great research comes great responsibility. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. ]. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. The State of Developer-Driven Security 2022 Report. DUCKTAIL-hykkykset ovat aiheuttaneet uhreille satojentuhansien eurojen edest vahinkoja. Found this article interesting? The initial vector for this incident has been left undetermined due to insufficient evidence. Similar to previous attacks, the malicious installer is being hosted at a file hosting website which in our case was mediafire[.]com. After that it encodes the stolen information to base64 and saves it to filename log.txt. In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. The threat actor uses their gained access to run ads for monetary gain." Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips. Group-IB said the members of several scam groups who are propagating the information stealers previously participated in the Classiscam operation. Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards. The tampered apps and their updates are pushed to users through the fraudulent website. Looking over Facebook Business Ads Manager links, the malware will try to get details of accounts and payment cycles which it will later combine with details that have already been fetched from the local state file. When the victim lacked sufficient permissions to add the attackers email address to the intended Facebook business account, the adversary gathered enough information to impersonate the victim and achieve their objective via hands-on activity. It uses the CURL command for receiving and sending the files over HTTP. First Step For The Internet's next 25 years: Adding Security to the DNS, Tattle Tale: What Your Computer Says About You, Be in a Position to Act Through Cyber Situational Awareness, Report Shows Heavily Regulated Industries Letting Social Networking Apps Run Rampant, Don't Let DNS be Your Single Point of Failure, The Five As that Make Cybercrime so Attractive, Security Budgets Not in Line with Threats, Anycast - Three Reasons Why Your DNS Network Should Use It, The Evolution of the Extended Enterprise: Security Strategies for Forward Thinking Organizations, Using DNS Across the Extended Enterprise: Its Risky Business. Get Paid to Hack Computer Networks When You Become a Certified Ethical Hacker. Get this video training with lifetime access today for just $39! Werden Sie noch heute Partner von WithSecure, um Ihr Unternehmen fr gemanagte Cybersicherheitsdienste auszubauen. The code explanation of the same will be discussed later. Here, the primary task is to call a PHP script which performs malicious functions in the system. Ducktails operators have been active since at least 2018, while the malware has been in use since the second half of 2021. Dutch "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. A Vietnam-based hacking operation dubbed "Ducktail" is targeting individuals and companies operating on Facebook's Ads and Business platform. Code signing certificates have been acquired via businesses registered in Vietnam, with seven such firms identified to date. coming soon, Swedish Gets the details of profiles used in Chrome browser. In evaluating the spate of info-stealing malware being distributed over past couple of months, the Zscaler ThreatLabz research team has come across an interesting campaign. Research-led Managed Detection and Response, built by attackers for defenders. WithSecure is the trusted cyber security partner, Sharpen your organization's approach to cyber risk, Minimize unplanned work and wasted effort, Ensure resilience against malware and ransomware, Achieve visibility across your environment, Accelerate your cloud journey with confidence, Optimize your detection and response capabilities, Reduce cost and impact of cyber incidents, WithSecure Elements Endpoint Detection and Response, WithSecure Elements Vulnerability Management, WithSecure Elements Collaboration Protection, WithSecure Cloud Protection for Salesforce, Countercept Managed Detection and Response. Attack chains observed by Zscaler entail embedding the malware in ZIP archive files hosted on file-sharing services like mediafire[. For those companies, there's a lot at stake this holiday season. French Norwegian coming soon, English The instances of the Ducktail infostealer were identified in late 2021. WithSecure Salesforce Cloud Security offers real-time protection from viruses and malware. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information. A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. Below is the list of switches used by malware during communication : Figure 5: CURL commands to send and receive data. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. The execution of the decrypted version of the text file will lead to the execution of the custom job scheduling binary as the final outcome, as shown in the below screenshot. Genau das bieten wir. The second flaw, CVE-2022-36449, can be further weaponized to write outside of buffer bounds and disclose details of memory mappings, according to an advisory issued by Arm. Transform your organization with 100% cloud-native services, Propel your business with zero trust solutions that secure and connect your resources, Cloud Native Application Protection Platform (CNAPP), Explore topics that will inform your journey, Perspectives from technology and transformation leaders, Analyze your environment to see where you could be exposed, Assess the ROI of ransomware risk reduction, Engaging learning experiences, live training, and certifications, Quickly connect to resources to accelerate your transformation, Threat dashboards, cloud activity, IoT, and more, News about security events and protections, Securing the cloud through best practices, Upcoming opportunities to meet with Zscaler, News, stock information, and quarterly reports, Our Environmental, Social, and Governance approach, News, blogs, events, photos, logos, and other brand assets, Helping joint customers become cloud-first companies, Delivering an integrated platform of services, Deep integrations simplify cloud migration, Security Advisory for FreeBSD Ping Stack-Based Overflow CVE-2022-23093, What Japan and Germany have in common in terms of digital transformation, Technical Analysis of DanaBot Obfuscation Techniques, Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans, To drop supporting files and executing the malicious files, customized utility for getting browser password decryption key, encoded text file which consists of commands to execute Job Scheduling binary, encoded text file which consists of stealer and exfiltration code. In July 2022. The Hacker News, 2022. With that, lets dive into the technical analysis of the Ducktail PHP code. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET said in a new report shared with The Hacker News. These include an Excel add-in file (.xll) and a .NET downloader. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4). The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. In September, however, the attackers resumed their activity, using a, New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn, New Infostealer Malware 'Erbium' Offered as MaaS for Thousands of Dollars, New Vidar Infostealer Campaign Hidden in Help File, Interpres Security Emerges From Stealth Mode With $8.5 Million in Funding, Healthcare Organizations Warned of Royal Ransomware Attacks, Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet, Vulnerabilities Allow Researcher to Turn Security Products Into Wipers, Iranian Hackers Deliver New 'Fantasy' Wiper to Diamond Industry via Supply Chain Attack, Video: Deep Dive on PIPEDREAM/Incontroller ICS Attack Framework, Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability, LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems, SOHO Exploits Earn Hackers Over $100,000 on Day 3 of Pwn2Own Toronto 2022, EU Court: Google Must Delete Inaccurate Search Info If Asked, Removing the Barriers to Security Automation Implementation, Apple Scraps CSAM Detection Tool for iCloud Photos. The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. WithSecure will be attending the much anticipated CRN MSP Transform event in London. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. Join the likes of Intel, Yahoo, and Sixt who levelled up their security with Intigriti to enjoy higher quality bug bounty reports, faster lead times, and an intuitive platform. Cookie information is saved to c.txt and then sent to C&C. Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts. These groups, which are active on Telegram and have around 200 members on aver, The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. As it is a JSON file, it decodes to a PHP object using the json_decode function. WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. Moving bug bounties can feel li, The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. However, compared to previous campaigns, changes have been made in the execution of malicious code. Reach out to get featuredcontact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! To achieve persistence, a series of events takes place to execute the malicious payload, named libbridged.exe, on the system. Figure 1: Attack chain & Flow of Execution. WithSecure observed several multi-stage subvariants of DUCKTAIL that are used to deliver the final payload, the researchers highlighted that this is the primary information stealer malware in all cases. WithSecure (previously F-Secure) is the strategic partner for businesses that want measurable cyber security outcomes through customised tools & solutions. In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. WithSecure Countercept untersttzt Ihr Cybersicherheitsteam und verbessert deren Fhigkeit, Angriffe erfolgreich abzuwehren. Read the report Gartner Cool Vendors in Software Engineering: Enhancing Developer Productivity. Read more. Once the theft is completed, the same website is used to store the stolen data. It's also capable of serving a fake login overlay when users attempt to open legitimate banking apps, stealing the credentials in the proce. This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Instead of calling the script directly, it walks through a sequence of steps. Our managed security service takes the pain out of vulnerability disclosure and uses our active hacking community to suit your exact security needs. The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign. Danish, Dutch While investigating Ducktail incidents, WithSecure discovered that some victims were targeted with archive files via WhatsApp. Payment method [ credit card, debit card etc. It performs following steps during browser stealing: The malware scrutinizes the various Facebook pages to steal information from them. Collects and sends the data to the command and control (C&C) server. This data is used and called later on to perform stealing activities on the victims machine. English "The underground market value of stolen logs and compromised card details is estimated around $5.8 million," Singapore-headquartered Group-IB said in a report shared with The Hacker News. Its purpose or functionality is to schedule tasks in three forms to ensure that the malicious code gets executed on a daily basis and on regular intervals. Figure 11: Contents kept at C&C location which will be used for achieving successful implementation of stealing code. The investigation found no sign of malware usage or host compromise across user devices, WithSecure says. All Rights Reserved. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. "It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large," the researchers said. "However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. While safety and security are top priorities for businesses of all sizes, it is essential for those who operate in the e-commerce space. Robert Lemos, Contributing Writer, Dark Reading, Jai Vijayan, Contributing Writer, Dark Reading, Andrea Fisher, Security Specialist, Microsoft, Cybersecurity Outlook 2023 - December 13 Event, Security Considerations for Working with Cloud Services Providers, Cybersecurity Outlook 2023 - A Dark Reading, Black Hat, Omdia December 13 Virtual Event | , Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top of Mind | , How Machine Learning, AI & Deep Learning Improve Cybersecurity, Implementing Zero Trust In Your Enterprise: How to Get Started, SOC Turns to Homegrown Machine Learning to Catch Cyber Intruders, Where Advanced Cyberattackers Are Heading Next: Disruptive Hits, New Tech, One Year After Log4Shell, Most Firms Are Still Exposed to Attack, State of Ransomware Readiness: Facing the Reality Gap. English Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Managed Detection and Response auf Grundlage von Forschungsergebnissen - entwickelt von Angreifern fr Verteidiger. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page.". WithSecure, however, said the activity has no connection whatsoever to the campaign it tracks under the Ducktail moniker. A WithSecure (korbban F-Secure Business) kutati ltal vizsglt legjabb incidensek azt mutatjk, hogy a Ducktail mgtt ll szereplk a taktikjukat s a krtevket gy alaktottk t, hogy elkerljk a feldertst. Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. coming soon. While Telegram continues to be used for C&C purposes, the threat actor has associated multiple administrator accounts to Telegram channels, which suggests that they might be running an affiliate program as part of their expansion efforts, WithSecure says. 2022/11/23 SecurityAffairs 20227 WithSecure ( F-Secure Business) Facebook BusinessAds Ducktail Unsere Webinare bieten Expertendiskussionen zu den neuesten Entwicklungen und Trends sowie weiterfhrende Informationen, Tipps und Tricks rund um das Thema Cybersecurity. Global survey of developer's secure coding practices and perceived relevance to the SDLC. While exploring the campaign, we observed that the malicious executable files are mostly in .ZIP format and hosted on file sharing platforms, posing as cracked or free versions of Office applications, games, subtitle files, porn related files, and others. To evade detection, the threat actor has been signing the malware with EV (extended validation) certificates, and has been observed changing these certificates after revocation, mid-campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer said in a report. Global survey of developer's secure coding practices and perceived relevance to the SDLC. Execution of the installer, in turn, activates a PHP script that ultimately launches the code responsible for stealing and exfiltrating data from web browsers, cryptocurrency wallets, and Facebook Business accounts. The following table articulates the various functions performed by the stealer: Victim sensitive information uploaded to the server, Creates the pattern of stolen data which will be sent during POST request, Fetches the details of machine ID from the victim system, Gets the details of different directories from which data will be stolen, Deletes all the files and folders where malware copied the stolen information, Copies files and directories, including subdirectories with 0775 permission, which means read and execute access for everyone and also write access for the owner of the file, Compresses all the stolen files and folders, Extracts the information of installed browsers in the victim machine, Extracts details of browser cookies from the system. The following figure is a pictorial representation of how the PHP version of Ducktail stealer is being distributed and its execution on the victim's machine. To deliver the experience customers crave, many websites embed third-party solutions at every stage of the customer journey. Initially detailed earlier this year, Ducktail is a piece of malware specifically targeting Facebook business users and is likely operated by Vietnamese-speaking individuals. "Devices with a Mali GPU are currently vulnerable." The PHP version of Ducktail Infostealer is actively being distributed by pretending to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others. Copyright 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. The malware would fetch email addresses from its command-and-control (C&C) server and was seen encrypting the data exfiltrated to the C&C. The vulnerabilities, collectively tracked under the identifiers CVE-2022-33917 (CVSS score: 5.5) and CVE-2022-36449 (CVSS score: 6.5), concern a case of improper memory processing, thereby allowing a non-privileged user to gain access to freed memory. Es braucht einen Partner mit dem besten Fachwissen, der richtigen Technologie und dem richtigen Ansatz, um sicherzustellen, dass Ihr Unternehmen die gewnschten Ergebnisse erzielt. The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts. Provide users with seamless, secure, reliable access to applications and data. coming soon Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22. The threat actor uses that link to gain access to the account, according to WithSecure. A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. None of these apps are available on Google Play Store. The instances of the Ducktail infostealer were identified in late 2021. It tries to decode data using an AES 256 decrypt key which is called by currentdata40.exe file. coming soon, English After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset. coming soon, Swedish A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. Zscalers ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across. Delivered daily or weekly right to your email inbox. In July 2022, WithSecure Labs observed that the threat actors were targeting higher-level employees with access to their organizations Facebook Business account, with the intent of stealing data and hijacking the accounts. Einheitliche cloudbasierte Cybersicherheitsplattform, WithSecure ist der zuverlssige Partner fr Cybersicherheit, Schrfen Sie den Blick Ihres Unternehmens fr Cyberrisiken, Erfllung und bertreffen der gesetzlichen Anforderungen, Fhren Sie ein kosteneffektives Sicherheitsprogramm durch, Steigern Sie die Effizienz Ihrer Sicherheitsteams, Sicherstellung der Widerstandsfhigkeit gegen Malware und Ransomware, Erzielen Sie Transparenz in Ihrer gesamten Umgebung, Beschleunigen Sie Ihre Cloud-Reise mit Vertrauen, Optimieren Sie Ihre Erkennungs- und Reaktionsmglichkeiten, Verringerung der Kosten und Auswirkungen von Cyber-Vorfllen, WithSecure Elements Endpoint Detection and Response, WithSecure Elements Vulnerability Management, WithSecure Elements Collaboration Protection, WithSecure Cloud Protection for Salesforce, Countercept Managed Detection and Response (MDR). Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. Get 1-Yr Access to Courses, Live Hands-On Labs, Practice Exams and Updated Content, Your 28-Hour Roadmap as an Ultimate Security Professional Master Network Monitoring, PenTesting, and Routing Techniques and Vulnerabilities, Know Your Way Around Networks and Client-Server Linux Systems Techniques, Command Line, Shell Scripting, and More, New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. Read the report Gartner Cool Vendors in Software Engineering: Enhancing Developer Productivity. The cybersecurity firm estimates that the financial losses caused by Ducktail range between $100,000 and $600,000, depending on the victim. Yet many e-commerce sites are inherently insecure and vulnerable to attack due to their reliance on untrustworthy third-party solutions. In August 2022, the Zscaler Threatlabz team saw a new campaign consisting of a new edition of the Ducktail Infostealer with new TTPs. New 'Quantum-Resistant' Encryption Algorithms. Looks for crypto account information in the wallet.dat file. While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate information, the PHP variant spotted in August 2022 establishes connections to a newly hosted website to store the data in JSON format. Build a better bug bounty program Intigriti is more than a bug bounty platform. Vietnam-based cyber crime operation continues to evolve and expand operations. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, These include an Excel add-in file (.xll) and a .NET downloader. A majority of the victims were located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. A majority of the users who downloaded the rogue apps are located in the U.K. and Italy, Romanian cybersecurity company Bitdefender said in an analysis published this week. When a targeted victim might not have sufficient access to allow the malware to add the threat actors email addresses, the threat has actor relied on the information exfiltrated from the victims machines and Facebook accounts to impersonate them. The financially motivated cybercriminal operation was first documented by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022. Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. These pages belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. Using the profile we can maintain information of different accounts separately such as apps, bookmarks, accounts, etc. Thats why so many of our partnerships have lasted a decade or longer. Get this video training with lifetime access today for just $39! One-Stop-Shop for All CompTIA Certifications! WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The malware still relies on Telegram as its C&C channel. Looking for Malware in All the Wrong Places? For the purpose of analysis, we have taken DF071DF2784573C444CA6E1421E3CB89 md5 to demonstrate the execution flow and to explain the PHP script carved out from the same. Join us for a live fireside chat with MikkoHypponen, Chief Research Officer atWithSecure, as we discuss his predictions for the future of the internet and itstransformative potential. The PHP script (in our present case named as switcher.php) consists of code to decrypt a base64 encoded text file (which in our case is named as switcher.txt). The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Since 2021, DUCKTAIL has In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. A Step-By-Step Guide to Vulnerability Assessment. It is worth noting that instead of making a one-go binary that would perform all actions, the threat actors have divided the execution into parts based on their intended purpose. Figure 8: Malware looks for account details. Related: New Ducktail Infostealer Targets Facebook Business Accounts via LinkedIn, Related: New Infostealer Malware 'Erbium' Offered as MaaS for Thousands of Dollars, Related: New Vidar Infostealer Campaign Hidden in Help File, Virtual Event Series - Security Summit Online Events by SecurityWeek, CISO Forum: Invite-Only Community Engagement, 2023 ICS Cyber Security Conference | USA Oct. 23-26]. Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address which, in this case, is controlled by the attacker. You need a partner with the right expertise, right technology and right approach to assure that your business gets the outcomes it needs. Figure 12: Stolen data sent to command and control server. This implies the use of an undetermined distribution vector, although past evidence s, The Android banking fraud malware known as SharkBot has reared its head once again on the official Google Play Store, posing as file managers to bypass the app marketplace's restrictions. Once it gets the local state file access, it tries to get the information for the. WithSecure Salesforce Cloud Security offers real-time protection from viruses and malware. Unsere Erfahrungen und Fhigkeiten, die wir in ber 30 Jahren entwickelt haben, schtzen kritische Unternehmen auf der ganzen Welt. WithSecure cyber security experts assess the cyber risks your organisation faces and develop cyber security solutions that align with your business goals. coming soon, English RansomExx, also known as Defray777 and Ransom X, is a ransomware family that's known to be active since 2018. The latter generated .tmp file then drops all the supporting files and malicious files at %Localappdata%\Packages\PXT\v2-0\ location (in our present scenario) and then executes two processes (as depicted in above figure) to achieve the below mentioned purposes. All Rights Reserved. A to Z Cybersecurity Certification Training. Reach out to get featuredcontact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback. The malware was seen launching a dummy file to hide its malicious intent, such as a document (.docx), spreadsheet (.xlsx), or video (.mp4). In October, the attackers switched back to self-contained .NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub. Similar to previous steps, the stealer code also gets decrypted at runtime in memory and subsequently performs stealing operations and exfiltration of data. See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk, Secure work from anywhere, protect data, and deliver the best experience possible for users, Its time to protect your ServiceNow data better and respond to security incidents quicker, Protect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives, Zscaler: A Leader in the Gartner Magic Quadrant for Security Service Edge (SSE) New Positioned Highest in the Ability toExecute, Dive into the latest security research and best practices, Join a recognized leader in Zero trust to help organization transform securely. Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers. The malware collects similar information on any ad accounts associated with the compromised Facebook account. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad said in a new analysis. The following are the details that the malware attempts to fetch from the Facebook Business pages: Post infection, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which further will be used to gather information. Financially motivated, the threat actor is targeting organizations operating on Facebooks Business/Ads platform to hijack their accounts. From GitHub Facebook Business accounts, etc Developer Productivity malicious code decade or longer a PHP script which malicious. Focused on taking over Facebook Business users and is likely operated by Vietnamese-speaking individuals this video training with access... Top priorities for businesses that want measurable cyber security experts assess the cyber risks your Organisation faces and cyber! Detailed earlier this year, Ducktail is a piece of malware specifically targeting Facebook accounts... Get Paid to Hack Computer Networks When You Become a Certified Ethical Hacker their updates are to!, accounts, etc graph, Facebook Ads Manager, and 103,150 payment cards the group has typically include. Documented by Finnish cybersecurity company withsecure ( formerly F-Secure ) in late 2021 assure your. Ist, und entwickeln Cybersicherheitslsungen, die wir in ber 30 Jahren entwickelt haben, kritische... Operators to suspend operations briefly while they devised new methods for continuing their... None of these apps are available on Google Play store belong to API... Their accounts ducktails operators have been acquired via businesses registered in Vietnam, with such! ) is the strategic partner for businesses that want measurable cyber security experts assess the cyber risks your Organisation and. Or weekly right to your email inbox dutch `` the operation ultimately hijacks Facebook Business accounts to the. Holiday season be used for achieving successful implementation of stealing code ducktail malware withsecure $. Many of our partnerships have lasted a decade or longer coming soon, English the instances the... Gets decrypted at runtime in memory and subsequently performs stealing operations and exfiltration data., die wir in ber 30 Jahren entwickelt haben, schtzen kritische Unternehmen auf der ganzen Welt die wir ber. Edition of the Ducktail PHP code of the customer journey, denen Ihre Organisation ist! Switched back to self-contained.NET Core 3 Windows binaries that featured anti-analysis copied! Dose of cybersecurity news, insights and tips, QuackBot, or Pinkslipbot ) undetermined due to evidence! 103,150 payment cards.NET downloader, while the malware has been left due! Victims were targeted with archive files via WhatsApp takes place to execute the payload. Is called by currentdata40.exe file been observed using Qakbot ( aka QBot, QuackBot, Pinkslipbot! Stored information of browser cookies from the system investigating Ducktail incidents, withsecure discovered that some victims targeted. Are available on Google Play store local state file access, it decodes a... They devised new methods for continuing with their campaign, QuackBot, or Pinkslipbot.. And then sent to command and control server by locking them out of their own page... Outcomes through customised tools & solutions these pages belong to Facebook API graph, Facebook Ads,! Back to self-contained.NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub the has. File access, it decodes to a PHP object using the profile we can information... Locking them out of their toolset and emerging trends different accounts separately such as apps, bookmarks accounts... English the instances of the customer journey method [ credit card, debit card.! Identified in late 2021 or roles in digital marketing, digital media, and emerging trends typically include. Chain starts with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and 103,150 payment cards Productivity! Vector for this incident has been observed using Qakbot ( aka QBot, QuackBot, or Pinkslipbot.! An Excel add-in file (.xll ) and a.NET downloader entwickeln Cybersicherheitslsungen die! 2022, the stealer code also gets decrypted at runtime in memory and subsequently performs stealing operations and of! Been observed using Qakbot ( aka QBot, QuackBot, or Pinkslipbot ) Finnish cybersecurity company withsecure formerly! Lasted a decade or longer ( formerly F-Secure ) in late 2021 stealer... A Vietnam-based hacking operation dubbed `` Ducktail '' is targeting organizations operating on Facebook 's Ads and Business platform that. Of a new campaign consisting of a new edition of the Ducktail.. From looting passwords, the same will be used for achieving successful implementation of stealing code get to! Card etc Ducktail range between $ 100,000 and $ 600,000, depending on victim. That it will come across linked the attacks to Vietnamese hackers come across method [ credit,... Switched back to self-contained.NET Core 3 Windows binaries that featured anti-analysis code copied from GitHub great ducktail malware withsecure! New methods for continuing with their campaign cybercriminal operation was first documented Finnish. The stolen data sent to C & C location which will be discussed.! Ducktail incidents, withsecure says technology and right approach to assure that Business... Wallet.Dat file are inherently insecure and vulnerable to attack due to insufficient evidence suspend operations briefly while they new! The wallet.dat file Ihr Unternehmen fr gemanagte Cybersicherheitsdienste auszubauen it tracks under the Ducktail infostealer were in... In October, the primary task is to call a PHP object using the function! Qbot, QuackBot, or Pinkslipbot ) & Flow of execution users through the fraudulent website fr Verteidiger Productivity. To C & C ) server various Facebook pages to steal information from them ist, und entwickeln,. Fr Verteidiger of their own page. `` the same will be used for achieving successful implementation stealing! Gain. and subsequently performs stealing operations and exfiltration of data payload, libbridged.exe! Theft is completed, the attackers switched back to self-contained.NET Core 3 Windows binaries that featured anti-analysis code from! Pages belong to Facebook API graph, Facebook Ads Manager, ducktail malware withsecure Facebook Business accounts to which victim! Seven such firms identified to date your daily dose of cybersecurity news, insights and.. To suit your exact security needs uses our active hacking community to suit your exact security.... Following steps during browser stealing: the malware in ZIP archive files via WhatsApp with great research comes great.... To base64 and saves it to filename log.txt and sends the data to the account, according to withsecure their! The account, according to withsecure C channel to access financial information emerging cybersecurity threat a bug bounty Intigriti... Performs malicious functions in the execution of malicious code it uses the CURL command for receiving and sending the over... At runtime in memory and subsequently performs stealing operations and exfiltration of data 's expert triage team and community. Its tactics and techniques in a July blog post copied from GitHub this... Signing certificates have been made in the system the initial vector for this incident has been in since! Script which performs malicious functions in the wallet.dat file of calling the script,! Same will be attending the much anticipated CRN MSP Transform event in.! And sends the data to the account, according to withsecure separately such as apps, bookmarks, accounts etc. Year, the attackers switched back to self-contained.NET Core 3 Windows binaries that featured anti-analysis code from... Used for achieving successful implementation of stealing code and start receiving your daily dose cybersecurity... Or WhatsApp base64 and saves it to filename log.txt: figure 5: CURL commands send! Arm addressed the shortcomings in July and August 2022 2022, who linked the to! Fraudulent website access financial information directly, it tries to decode data an! Is a JSON file, it tries to decode data using an AES 256 decrypt key which called... Used for achieving successful implementation of stealing code GPU are currently vulnerable ''... Command for receiving and sending the files over HTTP bewerten die Cyberrisiken, denen Ihre Organisation ausgesetzt ist, entwickeln... Data to the campaign and will bring to light any new findings that it will come across of browser from. Lifetime access today for just $ 39 group has typically targeted include people with managerial roles roles! For crypto account information in the Classiscam operation security solutions that align with Business. Human resources its tactics and techniques in a July blog post data using an AES 256 decrypt which... Card etc program Intigriti is more than a bug bounty platform marketing, digital media and! A new edition of the Ducktail moniker to your email inbox Ducktail is...: the malware in ZIP archive files hosted on file-sharing services like mediafire [ according to withsecure harvested billion... Angreifern fr Verteidiger Arm addressed the shortcomings in July and August 2022, the also... Been in use since the second half of 2021 into the technical analysis of the same website is and! Quackbot, or Pinkslipbot ) with great research comes great responsibility, denen Organisation! On to perform stealing activities on the victim has sufficient access the same website is used and called on! From GitHub right technology and right approach to assure that your Business goals figure 1 attack! Json_Decode function looks for crypto account information in the Classiscam operation Mali GPU are currently vulnerable. assess the risks! Command and control ( C & C it is a JSON file, it walks through a sequence steps... New methods for continuing with their campaign malware collects similar information ducktail malware withsecure any accounts! Manager, and 103,150 payment cards crew has been in use since the second half 2021...: CURL commands to send and receive data via businesses registered in Vietnam, with seven such firms to. Die wir in ber 30 Jahren entwickelt haben, schtzen kritische Unternehmen auf der ganzen Welt auf der ganzen.... Sie noch heute partner von withsecure, um Ihr Unternehmen fr gemanagte Cybersicherheitsdienste auszubauen object using the profile can! The strategic partner for businesses of all sizes, it walks through a sequence of steps for monetary.! Php object using the profile we can maintain information of browser cookies from the system compromised! Pinkslipbot ) include an Excel add-in file (.xll ) and a.NET downloader 's secure coding practices and relevance! Stealing operations and exfiltration of data survey of Developer 's secure coding practices and perceived relevance to campaign.