A Vietnam-based operation, Ducktail, known to phish their victims on LinkedIn, added WhatsApp as a new avenue to spear-phish their targets.
WithSecure, formerly known as F-Secure, believes Ducktail has been active at least since 2021, and there are no signs indicating the gang might slow down any time soon.
"We see them evolve rapidly in the face of operational setbacks. Up to this point, the operational team behind Ducktail was seemingly small, but that has changed," said WithSecure researcher Mohammad Kazem Hassan Nejad.
Ducktail has been observed using LinkedIn to target organizations and individuals operating on Facebook's Ads and Business platform to hijack Facebook Business accounts.
According to WithSecure, following the exposure of Ducktail's activities this summer, the threat actor has changed its tactics to expand its operations and evade detection.
Ducktail operators added new avenues to phish their targets, such as WhatsApp. The threat actor often hides info-stealing malware in archive files alongside related images, documents, and video files. Victims are lured in by naming the files with keywords related to brands, products, and project planning.
It has developed a more robust way of retrieving attacker-controlled email addresses and making the malware look more legitimate by opening dummy documents and video files upon launch.
Ducktail puts a lot of effort into avoiding detection by changing up file format and compilation and countersigning certificates.
WithSecure claims the gang is expanding its operations by setting up additional fake businesses in Vietnam and onboarding affiliates.
Losses from attacks targeting Facebook's Ads & Business platform range from one to six hundred thousand dollars of advertising credits.
Companies find these attacks challenging due to the lack of separation between personal and business accounts.
"Using the same resources for both personal and business can be quite problematic. For example, investigating a possible Ducktail incident may require logs about an individual's Facebook history, which can have many unanticipated operational, ethical, and legal implications. It's an issue that concerns organizations and their employees, so they both need to understand the risks in these situations," WithSecure Global Head of Incident Response John Rogers said.
More from Cybernews:
Subscribe to our newsletter