Malicious actors related to the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms akin to Meta-owned Fb to distribute malware.
“Menace actors have lengthy used fraudulent adverts as a vector to focus on victims with scams, malvertising, and extra,” WithSecure researcher Mohammad Kazem Hassan Nejad stated. “And with companies now leveraging the attain of social media for promoting, attackers have a brand new, highly-lucrative sort of assault so as to add to their arsenal – hijacking enterprise accounts.”
Cyber assaults concentrating on Meta Enterprise and Fb accounts have gained reputation over the previous yr, courtesy of exercise clusters akin to Ducktail and NodeStealer which might be identified to raid companies and people working on Fb.
Among the many strategies employed by cybercriminals to achieve unauthorized entry to consumer accounts, social engineering performs a big position.
Victims are approached by way of numerous platforms starting from Fb and LinkedIn to WhatsApp and freelance job portals like Upwork. One other identified distribution mechanism is using search engine poisoning to spice up bogus software program akin to CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.
A component that is frequent to those teams is the abuse of URL shortener providers, Telegram for command-and-control (C2), and legit cloud providers like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host the malicious payloads.
The actors behind Ducktail, as an example, leverage lures associated to model and advertising and marketing tasks to infiltrate people and companies that function on Meta’s Enterprise platform, with new assault waves using job and recruitment-related themes to activate the an infection.
In these assaults, potential targets are directed to bogus postings on Upwork and Freelancer by way of Fb adverts or LinkedIn InMail, which, in flip, comprise a hyperlink to a booby-trapped job description file hosted on one of many aforementioned cloud storage suppliers, in the end resulting in the deployment of the Ducktail stealer malware.
“Ducktail malware steals saved session cookies from browsers, with code particularly tailor-made to take over Fb enterprise accounts,” Zscaler ThreatLabz researchers Sudeep Singh and Naveen Selvan famous in a parallel evaluation, stating the accounts promote for anyplace between $15 to $340.
“The ‘merchandise’ of the operation (i.e. hacked social media accounts) feed an underground economic system of stolen social media accounts, the place quite a few distributors provide accounts priced in accordance with their perceived usefulness for malicious exercise.”
Choose an infection sequences noticed between February and March 2023 have concerned using shortcut and PowerShell information to obtain and launch the ultimate malware, illustrating the attackers’ continued evolution of their techniques.
The experimentation additionally extends to the stealer, which has been up to date to reap a consumer’s private data from X (previously Twitter), TikTok Enterprise, and Google Adverts, in addition to leverage the stolen Fb session cookies to create fraudulent adverts in an automatic style and acquire elevated privileges to carry out different actions.
A main technique used to takeover a sufferer’s compromised account is by including their very own e mail tackle to that account, subsequently altering the password and e mail tackle of the sufferer’s Fb account to lock them out of the service.
“One other new characteristic noticed in Ducktail samples since (at the least) July 2023 is utilizing RestartManager (RM) to kill processes that lock browser databases,” WithSecure stated. “This functionality is usually present in ransomware as information which might be in-use by processes or providers can’t be encrypted.”
What’s extra, the ultimate payload is obscured utilizing a loader to decrypt and execute it dynamically at runtime in what’s seen as an try to include methods aimed toward rising evaluation complexity and detection evasion.
A number of the different strategies adopted by the risk actor to hinder evaluation embody using uniquely generated meeting names and the reliance on SmartAssembly, bloating, and compression to obfuscate the malware.
Zscaler stated it noticed circumstances the place the group initiated contact through compromised LinkedIn accounts that belonged to customers working within the digital advertising and marketing house, a few of whom had greater than 500 connections and 1,000 followers.
Detect, Reply, Defend: ITDR and SSPM for Full SaaS Safety
Uncover how Identification Menace Detection & Response (ITDR) identifies and mitigates threats with the assistance of SSPM. Discover ways to safe your company SaaS purposes and defend your information, even after a breach.
“The excessive quantity of connections/followers helped lend authenticity to the compromised accounts and facilitated the social engineering course of for risk actors,” the researchers stated.
This additionally highlights the worm-like propagation of Ducktail whereby LinkedIn credentials and cookies stolen from a consumer who fell sufferer to the malware assault is used to login to their accounts and phone different targets and broaden their attain.
Ducktail is claimed to be one of many many Vietnamese risk actors who’re leveraging shared tooling and techniques to drag off such fraudulent schemes. This additionally features a Ducktail copycat dubbed Duckport, which has been lively since late March 2023 and performs data stealing alongside Meta Enterprise account hijacking.
It is value stating that the marketing campaign that Zscaler is monitoring as Ducktail is actually Duckport, which, in accordance with WithSecure, is a separate risk owing to the variations within the Telegram channels used for C2, the supply code implementation, and the truth that each the strains have by no means been distributed collectively.
“Whereas Ducktail has dabbled with the utilization of pretend branded web sites as a part of their social engineering efforts, it has been a typical approach for Duckport,” WithSecure stated.
“As an alternative of offering direct obtain hyperlinks to file internet hosting providers akin to Dropbox (which can elevate suspicion), Duckport sends victims hyperlinks to branded websites which might be associated to the model/firm they’re impersonating, which then redirects them to obtain the malicious archive from file internet hosting providers (akin to Dropbox).”
Duckport, whereas based mostly on Ducktail, additionally comes with novel options that develop on the data stealing and account hijacking capabilities, and likewise take screenshots or abuse on-line note-taking providers as a part of its C2 chain, primarily changing Telegram as a channel to go instructions to the sufferer’s machine.
“The Vietnamese-centric factor of those threats and excessive diploma of overlaps by way of capabilities, infrastructure, and victimology suggests lively working relationships between numerous risk actors, shared tooling and TTPs throughout these risk teams, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service mannequin) centered round social media platforms akin to Fb.”