New Ducktail Infostealer Malware Targets Facebook Business and Advertising Accounts

Facebook business and advertising accounts are the beneficiaries of an ongoing dubbed campaign duck tail Designed to take control as part of a financially motivated cybercriminal operation.

“The threat actor targets individuals and employees who may have gained access to a Facebook Business account using information-stealing malware,” said Finnish cybersecurity firm WithSecure (formerly F-Secure Business). He said in a new report.

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal the victim’s Facebook account information and eventually hijack any Facebook Business account that the victim has sufficient access to.”


The attacks, attributed to a Vietnamese threat actor, reportedly began in the second half of 2021, with the main targets being people in management, digital marketing, digital media, and human resource positions in companies.

cyber security

The idea is to target employees with high-level access to Facebook Business accounts linked to their organizations, and trick them into downloading purported Facebook ad information hosted on Dropbox, Apple iCloud and MediaFire.

In some cases, the archive file containing the malicious payload is also delivered to the victims via LinkedIn, which ultimately allows the attacker to gain control of any Facebook Business account.

An information-stealing malware written in .NET Core, the binary is designed to use Telegram for command, control, and data mining. WithSecure said it has identified eight Telegram channels that have been used for this purpose.

Facebook Business Account Hacking

It works by searching installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox to extract all stored cookies and access tokens, as well as stealing the victim’s personal Facebook account information such as name, email address and date of birth. User ID.

Data was also looted from companies and advertising accounts connected to the victim’s personal account, allowing the adversary to hijack the accounts by adding an email address controlled by the actor retrieved from the Telegram channel and giving himself access to the administrative and financial clerk.

While users with administrative roles have full control of their Facebook Business account, users with Finance Editor permissions can edit business credit card information and financial details such as transactions, invoices, account spending, and payment methods.

cyber security

Telemetry data collected by WithSecure shows a global targeting pattern involving a number of countries, including the Philippines, India, Saudi Arabia, Italy, Germany, Sweden and Finland.

However, the company indicated that it was “unable to determine the success or lack of success” of the Ducktail campaign, adding that it could not say how many users might be affected.

Facebook Business admins are advised to review their access permissions and remove all unknown users to secure accounts.

The findings are another indication of how bad actors are increasingly taking advantage of legitimate messaging apps like Discord and Telegram, abusing their automation features to spread malware or achieve their operational goals.

“Mainly used with information thieves, cybercriminals have found ways to use these platforms to host, distribute and perform various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” Intel 471 said Tuesday.

Leave a Comment