+54Zscaler researchers discovered a PHP version of an information-stealing malware tracked as Ducktail. The malicious code is distributed as free/cracked application installers for a variety of applications including games, Microsoft Office applications, Telegram, and others.
+4This is all i thought of when I read Ducktail…
+4Quality Saturday morning entertainment right there. They don’t make them like that anymore.
+5Omg. So true! Kids these days just don’t get that kind of quality!
+6
A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets.
Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers.
Those campaigns relied on social engineering attacks through LinkedIn, pushing .NET Core malware masquerading as a PDF document supposedly containing details about a marketing project.
The malware targeted information stored in browsers, focusing on Facebook Business account data, and exfiltrated it to a private Telegram channel that acted as a C2 server. These stolen credentials are then used for financial fraud or to conduct malicious advertising.
Zscaler now reports spotting signs of new activity involving a refreshed Ducktail campaign that uses a PHP script to act as a Windows information-stealing malware.
Ducktail has now replaced the older NET Core information-stealing malware used in previous campaigns with one written in PHP.
Most of the fake lures for this campaign are related to games, subtitle files, adult videos, and cracked MS Office applications. These are hosted in ZIP format on legitimate file hosting services.
When executed, the installation takes place in the background while the victim sees fake 'Checking Application Compatibility' pop-ups in the frontend, waiting for a fake application sent by the scammers to install.
The malware will ultimately be extracted to the %LocalAppData%\Packages\PXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools
Above information taken from the following article: https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
