After a series of operational setbacks, including having its tactics, techniques and procedures (TTPs) exposed on the internet by WithSecure, the Vietnam-based Ducktail cyber crime cartel has been busily evolving its operations, seeking new methods to compromise its targets and steal their Facebook Business accounts.
The group had been using LinkedIn to conduct research on targets it considered likely to have access to Facebook Business accounts, and then conducted spear phishing attacks against them, deploying a novel infostealer malware that was able to take control of the target’s Facebook presence and use it for purposes such as malware distribution, theft, disinformation and fraud.
Following the exposure of its activities, Ducktail has implemented several changes to its mode of operation, prompting a return visit from WithSecure researcher Mohammad Kazem Hassan Nejad, who has been tracking the gang for 18 months.
“We don’t see any signs of Ducktail slowing down soon, but rather see them evolve rapidly in the face of operational setbacks. Up to this point, the operational team behind Ducktail was seemingly small, but that has changed,” he said.
Besides onboarding new recruits, Ducktail has been developing new avenues to conduct its spear phishing attacks, including WhatsApp, which is also owned by Facebook parent Meta.
It has also made changes to its infostealer’s capabilities, coding a more robust way of retrieving attacker-controlled email addresses and making it look more legitimate by giving it the ability to open dummy documents and video files when it launches.
It has also got better at evading detection by changing up file format and compilation, and countersigning certificates.
Additionally, the gang has conducted further resource development and operational expansion, establishing a number of fake businesses in Vietnam and establishing an affiliate model.
WithSecure said it had recently helped a number of victims of Ducktail, and other threats targeting Facebook’s Ads and Business platform, with losses of up to $600,000 worth of advertising credits, highlighting that while ransomware attacks garner a lot of attention, other threats can be equally as damaging to an organisation’s financial and brand equity.
Attacks exploiting Facebook can be additionally challenging due to the lack of separation between personal and business accounts, which potentially opens additional avenues of risk, said John Rogers, global head of incident response at WithSecure.
“Using the same resources for personal and business can be quite problematic. For example, investigating a possible Ducktail incident may require logs about an individual’s Facebook history, which can have many unanticipated operational, ethical and legal implications,” he said.
“It’s an issue that concerns organisations and their employees, so they both need to understand the risks in these situations,” added Rogers.
There are a number of steps that organisations can take to protect themselves from such organisations.
These include conducting staff training on spear-phishing, particularly for users who can access Facebook Business accounts; enforcing application allow lists to stop unknown executables from running; deploying endpoint detection and response (EDR) solutions to detect malware before it can do damage; putting in place basic hygiene and protection for managed or personal devices used on Facebook Business accounts; and using private browsing to authenticate work sessions when accessing Facebook Business accounts.