Security News > 2022 > October > New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts

A PHP version of an information-stealing malware called Ducktail has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler.

"Like older versions, the latest version also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.," Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi said.

Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts.

While previous versions of the malware were found to use Telegram as a command-and-control channel to exfiltrate information, the PHP variant spotted in August 2022 establishes connections to a newly hosted website to store the data in JSON format.

Attack chains observed by Zscaler entail embedding the malware in ZIP archive files hosted on file-sharing services like mediafire[.

Execution of the installer, in turn, activates a PHP script that ultimately launches the code responsible for stealing and exfiltrating data from web browsers, cryptocurrency wallets, and Facebook Business accounts.

News URL

https://thehackernews.com/2022/10/new-php-version-of-ducktail-malware.html