Vietnamese attacker circumvents Facebook security with ‘DUCKTAIL’ malware

Security vendor WithSecure, which was spun out in March 2022 as F-Secure’s enterprise security arm, claims it’s found malware that targets Facebook Business accounts.

“The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” states WithSecure’s report on the campaign.

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.”

WithSecure has name the malware “DUCKTAIL” and is confident it’s run by a Vietnamese entity that attacks by first scouting for companies that operate on Facebook’s Business/Ads platform and then looking for people likely to have admin access to those accounts.

“We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted,” the vendor’s report states.

Once the attacker finds a mark, it tries to get them to click on a file with a name that appears relevant to their business but is malware.

The malware appears to have been coded using .NET Core and gets to work scanning victims’ browser for the presence of Facebook session cookies.

If those cookies are found, the malware “directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”

Interactions with Facebook appear benign to The Social Network™, which allows the malware to prowl for more security tokens and even attempt to detect and then subvert two factor authentication.

• Meta proposes doing away with leap seconds
• South Korean regulator fears Meta's collecting too much data with revised T&Cs
• Scam victims find same fraudulent ads lurking on Facebook and Google even after flagging them up

The aim of the game for this attacker is account takeover, as doing so allows a legitimate user’s credit card details to pay for ads run by other businesses.

WithSecure’s analysts believe the attacker has been probing Facebook’s security for up to three years and has successfully adapted DUCKTAIL to cope with changes the social network hoped would harden its systems.

The attack’s impact on victims – lost money – is obvious and painful. The impact on Facebook’s credibility is also considerable, in two dimensions.

For starters it again shows the site’s security is worryingly porous: in 2020 Facebook techies ‘fessed up to the existence of a long-running malware campaign named “SilentFade” that also allowed attackers to buy ads using victims’ accounts. WithSecure asserts that whoever is behind DUCKTAIL has been active since 2018 and has focussed on Facebook since the second half of 2021.

The other dimension is that Facebook constantly fights ad fraud, with limited success that increasingly attracts advertisers’ ire. News that another malware campaign has further complicated calculations of which ads are real, and offers an avenue to publishers of dodgy ads, will not go down well among marketers who feel pressure to measure the impact of the ad dollars they are authorised to spend. ®