skip to Main Content

Cybercrime, new PHP Ducktail pretends to be a free/cracked application installer

New PHP Ducktail version spread by pretending to be a free/cracked application installer. Zscaler cybersecurity experts: The malware, an infostealer, targets Facebook Business accounts with new TTPs

The new PHP version of Ducktail is been distributed by pretending to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others. Zscaler cybersecurity experts discovered it. The malware, an infostealer, as been around since 2021 and is attributed to a Vietnamese threat group. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information. In August 2022 however, cybercrime actors behind the malicious code changed TTPs. Data are kept on a newly hosted website in the JSON format. This data is used and called later on to perform stealing activities on the victim’s machine. Once the theft is completed, the same website is used to store the stolen data. Furthermore, the threat actors are now targeting the public at large, rather than specifically targeting employees with Admin or Finance access to Facebook Business accounts. Finally, the malicious executable files are mostly in .ZIP format and hosted on file sharing platforms, posing as cracked or free versions of Office applications, games, subtitle files, porn related files, and others.

Back To Top