With Great Research Comes Great Responsibility.

Welcome to our research and development platform: WithSecure Labs. Here we dissect industry news and trends, publish research, and share our tools with the security community.

DUCKTAIL: An infostealer malware targeting Facebook Business accounts

By Mohammad Kazem Hassan Nejad on 26 July, 2022

WithSecure™ has discovered an ongoing operation (dubbed "DUCKTAIL") that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.

Based upon analysis and gathered data, we have determined that the operation is conducted by a Vietnamese threat actor. The chain of evidence suggests that the threat actor’s motives are financially driven.

A full report containing detailed analysis of DUCKTAIL’s malware component, recommendations and protection, as well as appendices containing indicators of compromise, detection opportunities, and MITRE ATT&CK techniques can be found in the PDF report.

Read more

Rethinking Credential Theft

By Robert Bearsby and Timo Hirvonen on 14 February, 2020

Read more

Publications

DUCKTAIL: An infostealer malware targeting Facebook Business accounts

Jul 26, 2022

Printing Shellz

Nov 30, 2021

Threat Intelligence Report: Lazarus Group Campaign Targeting the Cryptocurrency Vertical

Aug 25, 2020
tools

Detectree: Detection Visualisation for Blue Teams

By Thomas Barrow on 21 July, 2022

Read more

The Fake Cisco

By Dmitry Janushkevich on 15 July, 2020

Read more

Tools

The following are recent tools published by WithSecure Labs.

Read more

Latest Tools

Detectree: Detection Visualisation for Blue Teams

“We can easily see patterns presented in certain ways, but if they are presented in other ways, they become invisible” – Colin Ware, Information Visualization: Perception for Design (Elsevier, 1999) Detectree is…

Metasploit Modules for RCE in Apache NiFi and Kong API Gateway

Two exploit modules for the Metasploit framework to assist consultants in verifying vulnerabilities when encountering Kong API Gateway and Apache NiFi on network security assessments.

awspx

auspex [ˈau̯s. pɛks] noun: An augur of ancient Rome, especially one who interpreted omens derived from the observation of birds.

See all

var/log/messages

Spoofing Call Stacks To Confuse EDRs

Jun 30, 2022

Scheduled Task Tampering

May 04, 2022

Faking Another Positive COVID Test

Apr 21, 2022

Detecting Attacks against Azure DevOps

Apr 05, 2022

Faking A Positive COVID Test

By Ken Gannon on 21 December, 2021

Read more