DUCKTAIL returns: Underneath the ruffled feathers

By Mohammad Kazem Hassan Nejad on 22 November 2022 

Mohammad Kazem Hassan Nejad

22nd November 2022

WithSecure continues to shed light on a financially motivated malware operation, dubbed DUCKTAIL

In late July 2022, WithSecure shed light on a financially motivated malware operation, dubbed DUCKTAIL, that targets individuals and businesses operating on Facebook Ads and Business platform.

In short, the operation consists of an information stealer malware that is delivered to targeted victims that primarily operate in the digital marketing and advertisement space. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account. The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain.

After a short hiatus, the DUCKTAIL campaign returned with slight changes in their mode of operation. In this report, we’ll discuss what we have discovered since our original analysis was published.

You may find additional information about DUCKTAIL in our first report available at: https://labs.withsecure.com/publications/ducktail