Threat actors have been targeting Facebook Business accounts with a new PHP version of the Ducktail infostealing malware, which is being delivered through cracked app and game installers, The Hacker News reports.
While both PHP and .Netcore variants of the Ducktail malware similarly exfiltrate sensitive data, including Facebook account details and browser credentials, the updated variant, first identified in August, leverages connections to a newly hosted website for data storage purposes rather than using Telegram as a command-and-control channel, a report from Zscaler revealed.
Ducktail has been observed to be embedded in ZIP archive files spoofing cracked Microsoft Office, games, and porn-related files on file-sharing services, and installer execution prompts PHP script activation for data exfiltration.
Researchers also found that regular Facebook users are also being targeted in the new Ducktail campaign.
"It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large," added researchers.
Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster.
BBC News reports that major online travel agency Booking.com had its customers in the U.S., UK, and other parts of the world impacted by fraud following a social engineering attack that involved the deployment of the Vidar information-stealing malware.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news