Attackers employ LinkedIn to steal data from Facebook Business users

A phishing campaign dubbed ‘Ducktail’ combines online tracking practices with info-stealing malware to hijack Facebook Business accounts.

The campaign, uncovered by researchers at cybersecurity firm WithSecure, targets users with admin-level access to their company’s social media accounts.

While the researchers could not determine how successful the phishing campaign was if, at all, threat actors behind the operation continuously updated malware used for Ducktail. The behavior suggests at least some level of success in bypassing existing Facebook security features.

WithSecure believes the campaign has been going on at least since the end of 2021, and the attacks were carried out by a Vietnamese threat actor. The attackers have likely been active in the cyber underworld since 2018.

Researchers claim that the Ducktail campaign has been carried out meticulously, specifically targeting users with high-level access to social media accounts.

“We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted,” reads the report.

In some instances, the info-stealing malware was delivered via LinkedIn, while samples of the malicious software were hosted on Dropbox, iCloud, and MediaFire.

Info-stealer was hidden in archive files alongside related images, documents, and video files. Victims of the attack were lured in by naming the files with keywords related to brands, products, and project planning.

“Some of the observed samples had country names appended to the file name, which indicates that the threat actor tailors the file name based on the target’s locality. This indicates that the threat actor was aware of the victim’s locations ahead of time,” the report said.

Laser focused campaign

Researchers claim that the malware was hidden inside a PDF file in the archive. When executed, the .NET Core-based malware scans for browser cookies on Chrome, Edge, Brave, and Firefox browsers.

Once the scan is complete, the malware extracts all stored cookies, including any Facebook session cookie. Researchers claim that the malware directly interacts with various Facebook endpoints from the victim’s machine, using the Facebook session cookie to extract information from the victim’s Facebook account.

Moreover, all requests made to Facebook are made to look as if they’re coming from the user’s primary browser. WithSecure believes this step was designed to bypass Facebook’s security features.

Ducktail uses LinkedIn to target Facebook Business users
Some of the filed hidden in an infected archive. Image by WithSecure. Edited by Cybernews.

This way, malware operators could obtain cookies, IP addresses, 2FA codes, geolocation data, and account information with name, email, birthday, and user ID, allowing the attackers to replicate this access from their machine.

On the business end of the attack, threat actors would get their hand on name, verification status, ad account limits, pending users, and clients.

“One of the unique features of the malware is its ability to hijack Facebook Business accounts associated with the victim’s Facebook account. It attempts to grant the threat actor’s emails access to the business with the highest privilege roles,” reads the report.

With the right information collected, the threat actor can use the mechanism representing the standard procedure for granting individuals access to Facebook Business, bypassing the platform’s security features.

Researchers deemed that threat actors behind the operation use Telegrams as their command and control (C2) channel, using the functionality of Telegram Bot to their advantage.