WithSecure Intelligence says a criminal group dubbed "Ducktail" is targeting the Facebook Business platform with malware. ("duck life" by katdaned is licensed under CC BY 2.0.)

A criminal group with bespoke malware is targeting the Facebook Business/Ads platform, WithSecure Intelligence announced Tuesday.

The group, dubbed Ducktail, appears to be financially motivated and has been active since 2018. Since 2021, Ducktail has been eyeballing Facebook Business targets.

"WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing. Facebook's existing security features and hijacking businesses. However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features," the company writes in its official report.

Ducktail appears to be focused on account takeover and information theft. The group phishes employees with access with malware stored on filesharing websites, using lures targeted to the business.

WithSecure has not seen a regional pattern in Ducktail's targeting, with potential victims spread across Europe, the Middle East, Africa and North America.

Ducktail's .Net-based malware searches for cookies, including the Facebook token, in Google Chrome, Microsoft Edge, Brave Browser and Firefox, which it then leverages for Facebook access. The malware makes Facebook requests from the victims machine, tailored to look like the victim, in an apparent attempt to circumvent Meta's security. WithSecure notes that information stolen from the machine could be used to mimic a user from anywhere in the world.

The malware crawls various Facebook pages and attempts to retrieve two-factor authentication recovery codes, with new samples including unused source code that would attempt to generate a login access code. The malware steals personal data belonging to the user as well as information on what business and ad accounts are associated with the user, using Telegram for exfiltration. It attempts to add an attacker account to the email account list associated with associated businesses, allowing for account takeover.

WithSecure believes Ducktail operates out of Vietnam.

The official report includes YARA and SIGMA rules, an ATT&CK Framework map and indicators of compromise.