The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.

Based upon analysis and gathered data, we have determined that the operation is conducted by a Vietnamese threat actor. The chain of evidence suggests that the threat actor’s motives are financially driven.

WithSecure had shared its DUCKTAIL research prior to release with Facebook’s parent company Meta who provided the following statement:
“We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection. We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.”

A full report containing detailed analysis of DUCKTAIL’s malware component, recommendations and protection, as well as appendices containing indicators of compromise, detection opportunities, and MITRE ATT&CK techniques can be found in the PDF report.