DUCKTAIL attacks costing victims hundreds of thousands of dollars

Vietnam-based cyber crime operation continues to evolve and expand operations.

Helsinki, Finland – November 22, 2022: “DUCKTAIL”, a Vietnam-based cyber crime operation discovered by WithSecure™ (formerly known as F-Secure business) earlier this year, has continued to evolve their operations, according to a new analysis.

Since 2021, DUCKTAIL has used LinkedIn to target individuals and organizations operating on Facebook's Ads and Business platform in order to hijack Facebook Business accounts.

Following the exposure of DUCKTAIL’s activities in a report published during the summer, the group has changed the way they operate to evade defenses and expand its operations.

"We don't see any signs of DUCKTAIL slowing down soon, but rather see them evolve rapidly in the face of operational setbacks. Up to this point, the operational team behind DUCKTAIL was seemingly small, but that has changed," said Mohammad Kazem Hassan Nejad, Researcher for WithSecure Intelligence.

Recent DUCKTAIL activity observed since early September featured several changes to their mode of operation, including:

• New avenues to spear-phish targets through, such as WhatsApp.
• Changes to malware capabilities with a more robust way of retrieving the attacker-controlled email addresses and making the malware look more legitimate by opening dummy documents and video files upon launch.
• Continuous efforts at defense evasion by changing up file format and compilation, as well as countersigning certificates.
• Further resource development and operational expansion by setting up additional fake businesses in Vietnam and onboarding affiliates into the operation.

“Ransomware attacks get a lot of attention, but threats such as DUCKTAIL can cause substantial financial and branding damage and shouldn’t be overlooked,” said Paolo Palumbo, Vice President of WithSecure Intelligence. “With the increased activity, new affiliates, and fake businesses, we expect an increase in DUCKTAIL related incidents for the foreseeable future.”

DUCKTAIL in the trenches

WithSecure’s incident response team has helped several victim organizations respond to attacks from DUCKTAIL and other threats targeting Facebook’s Ads & Business platform. Losses from these attacks ranged from one to six hundred thousand dollars of advertising credits.

According to WithSecure™ Global Head of Incident Response John Rogers, these kinds of threats are challenging for companies to manage due to the lack of separation between personal and business accounts.

“Using the same resources for both personal and business can be quite problematic. For example, investigating a possible DUCKTAIL incident may require logs about an individual’s Facebook history, which can have many unanticipated operational, ethical, and legal implications. It’s an issue that concerns organizations and their employees, so they both need to understand the risks in these situations,” he said. 

Defenders can take the following steps to protect themselves from DUCKTAIL and similar threats:

• Raise awareness on spear-phishing among users with access to Facebook/Meta business accounts.
• Enforce application allowlisting to prevent unknown executables from running.
• Use EDR/EPP solutions to prevent and detect the malware in the earlier stages of the attack lifecycle.
• Ensure managed or personal devices used with company Facebook accounts have basic hygiene and protection in place.
• Use private browsing to authenticate each work session when accessing Facebook Business accounts (so the session is forgotten after finishing, which prevents cookies from being stolen and abused).
• Follow Meta's recommended security practices.
• Download and analyze the relevant logs as quickly as possible when responding to a suspected incident.

The full analysis is available at https://labs.withsecure.com/publications/ducktail-returns.  

Additional information on DUCKTAIL is available at https://labs.withsecure.com/publications/ducktail.

WithSecure™ media relations
Adam Pilkey
+358406378859