Meet the Ducks: Vietnamese threat groups targeting Meta Business accounts

Social media presents the biggest amalgamation of people and businesses in today’s connected world, with an estimated 4.9 billion people using these services. Social media also provides organizations with a platform to engage the world around them - capabilities the majority of businesses take advantage of in one way or another.

While the incentives are high for businesses to leverage social media for their own benefit, these platforms provide adversaries, with different intent and capabilities, with other opportunities. The adversarial challenges presented by these platforms are extensive, dynamic, complex, and most importantly, harmful.

In this report we share an overview of current and emerging threats surrounding Meta's ad ecosystem that are pre-dominantly originating out of Vietnam. Additionally, we will share an update on the infamous DUCKTAIL operation exposed in our previous reports DUCKTAIL: An infostealer malware targeting Facebook Business accounts and DUCKTAIL returns: Underneath the ruffled feathers. Lastly, we will introduce an emerging threat dubbed “DUCKPORT” which has striking similarities to DUCKTAIL, but with important and distinct functionalities, TTPs, and history.

If you believe your business has been targeted or fallen victim to the same or similar attack and require assistance, you can reach out to our 24/7 incident hotline Emergency Cyber Security Incident Response | WithSecure™. If you like to collaborate on future research with WithSecure Intelligence, you may reach out at wit-data-driven-threat-insights@withsecure.com .