An unheard-of Windows information-stealing malware written in PHP that is used to steal Facebook accounts, and browser data. And cryptocurrency wallets is being disseminated through a new Ducktail phishing campaign.

Researchers from WithSecure first identified ducktail phishing operations in mid 2022 and connected the assaults to Vietnamese hackers.

These operations utilized LinkedIn social engineering tactics to spread malware dressed as a PDF document purporting to give information about a marketing initiative.

The malware specifically targeted data kept in browser cookies related to Facebook Business accounts. And exfiltrated it to a private Telegram channel that served as a C2 server. Then, these credentials are stolen and exploited for advertising fraud or financial fraud.

Now, according to Zscaler, there are indications of fresh activity involving a Ducktail campaign that employs a PHP script to function as malware that steals Windows information.

A PHP information-stealing malware

The information-stealing malware built in PHP by Ducktail has now superseded the older NET Core version utilized in earlier campaigns.

The majority of the deceptive lures used in this operation involve games, subtitle files, explicit videos, and cracked Microsoft Office programmes. These are available on trustworthy file hosting providers in ZIP format.

When it is executed, the installation happens in the background as the victim waits for a scammer-sent phoney application to install while seeing bogus “Checking Application Compatibility” pop-ups in the frontend.

Ultimately, the malware will be extracted to the%LocalAppData%PackagesPXT folder, which contains the PHP.exe local interpreter. And additional information-stealing programmes and supporting tools, as seen below.

Ducktail's PHP information-stealing malware
Ducktail’s PHP information-stealing malware (Source: BleepingComputer)

By placing scheduled activities on the host to run every day and at regular intervals, the PHP virus is able to maintain persistence. A created TMP file launches the stealer component concurrently in a parallel process.

The stealer’s code is a Base64-encoded PHP script that is decoded immediately in memory without accessing the disc, reducing the likelihood that it would be discovered.

The targeted data includes substantial Facebook account information, and sensitive information stored in browser cookies, and wallet. And account information for cryptocurrencies, and fundamental system data.

Instead of being sent to Telegram, the acquired data is now saved in a JSON webpage that also contains account tokens and the data needed to commit on-device fraud.

Expanding the targeting scope

Ducktail’s prior effort targeted people who worked for firms’ financial or marketing departments. Since they were more likely to be granted permission to plan and carry out social media ad campaigns.

The intention was to seize control of those accounts, send money directly to their bank accounts, or start their own Facebook marketing operations to recruit additional victims for Ducktail.

However, Zscaler observed that in the most recent campaign, the targeting was widened to include normal Facebook users. And to steal any useful data they might have kept in their accounts.

Even so, if the malware determines that the account type is a business account, it will try to retrieve data. These include payment methods, cycles, spending amounts, owner details, verification status, owned pages, PayPal address, and more.

The development of Ducktail and its subsequent attempt to avoid being observed by security researchers. It shows that the threat actors want to keep running their successful operations.

Users are urged to exercise caution when sending and receiving instant messages on LinkedIn. And to be highly wary of file download requests, particularly those for cracked software, game mods, and cheats.