Security News > 2022 > October > New PHP information-stealing malware targets Facebook accounts
A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets.
The malware targeted information stored in browsers, focusing on Facebook Business account data, and exfiltrated it to a private Telegram channel that acted as a C2 server.
Zscaler now reports spotting signs of new activity involving a refreshed Ducktail campaign that uses a PHP script to act as a Windows information-stealing malware.
The goal was to take control of those accounts and direct payments to their bank accounts or run their own Facebook campaigns to promote Ducktail to more victims.
In the latest campaign Zscaler noticed that the targeting scope has been broadened to include regular Facebook users and to siphon whatever valuable information they may have stored in their accounts.
Still, if the account type is determined to be a business account, the malware will attempt to fetch additional information about payment methods, cycles, amounts spent, owner details, verification status, owned pages, PayPal address, and more.