Ducktail, a reputed phishing company that hijacks Facebook accounts as advertising campaigns for companies, is now selling a brand new infostealer malware.
Ducktail previously used LinkedIn to collect Facebook Business account data stored in a web browser and then exfiltrate it into a private Telegram channel, which was the malwares command and control server (C2), and communicating with target systems in order to counteract cyberattacks.
Stealing browser data
The C2 has also been changed - the data no longer goes to a Telegram channel, sondern to a JSON website that also stores account tokens and other information he has used for on-device fraud.
Zscaler claims that the malware is being shared as an archive file from a legitimate file hosting site. According to the attackers, the malware didn''t even be flagged by antivirus software, unless it was loaded in memory.
Users may also reduce the effects of Ducktail and other harmful technologies by switching to an anonymous browser, or simply making sure not to store sensitive information in their browser of choice.
This is especially important because malware may search for additional sensitive financial information, such as PayPal data. This includes amounts spent on certain purchases, verification statuses, and more.
In most cases, attackers who employ malware are attempting to trick people into downloading it by presenting it as movie subtitle files, adult content, or cracks for malicious software.
While Ducktails'' new infostealer might be avoiding antivirus software, software that includes in-built web protection might still be of assistance against it by blocking access to other websites.