A phishing campaign is spreading brand new malware targeting Facebook users

Ducktail, the notorious phishing company that hijacks Facebook accounts that run ad campaigns for businesses, is now spreading a brand new information theft malware.

According to researchers according to Zscaler (opens in a new tab)Ducktail previously used LinkedIn to distribute malware written in .NET Core that could steal Facebook Business account data stored in web browser and filtered it into a private Telegram channel that acted as the malware’s command and control (C2) server, communicating with target systems to coordinate cyberattacks.

However, Ducktail has now been spotted spreading a new variant of the malware that can not only steal data near Facebook, but also other sensitive data stored in browsers, such as data related to cryptocurrency wallets, account information and basic system data.

Browser data theft

C2 has also been changed – the data no longer goes to the Telegram channel, but to the JSON website, which also stores account tokens and other data necessary for fraud on the device.

Zscaler also claimed that the malware was distributed as an archive file uploaded to a legitimate file hosting service. The attackers, according to them, made sure that the malicious program was not noticed antivirus software loading into memory only.

Users can reduce the damage caused by Ducktail and other malware by switching to an anonymous browseror simply by making sure that sensitive information is not stored in your chosen browser.

This is especially important because when malicious programs break end point with a Facebook Business account, they can search for additional sensitive financial information, such as PayPal details. This includes amounts spent on specific purchases, verification statuses, and more.

In most cases, attackers use malware to try to trick people into downloading it by posing as movie subtitle files, adult content, or cracks for illegitimate software.

While it’s true that Ducktail’s new infostealer can evade antivirus software, software that comes with built-in web protection can still help against it by blocking access to suspicious sites that might use it.

Via: BleepingComputer (opens in a new tab)