Threat actors have been targeting Facebook Business accounts with a new PHP version of the Ducktail infostealing malware
, which is being delivered through cracked app and game installers, The Hacker News
While both PHP and .Netcore variants of the Ducktail malware similarly exfiltrate sensitive data, including Facebook account details and browser credentials, the updated variant, first identified in August, leverages connections to a newly hosted website for data storage purposes rather than using Telegram as a command-and-control channel, a report from Zscaler revealed.
Ducktail has been observed to be embedded in ZIP archive files spoofing cracked Microsoft Office, games, and porn-related files on file-sharing services, and installer execution prompts PHP script activation for data exfiltration.
Researchers also found that regular Facebook users are also being targeted in the new Ducktail campaign.
"It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large," added researchers.