eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Our Threat Response Unit (TRU) has observed DUCKTAIL, a malware operation discovered by WithSecure in 2022, within a customer’s environment. The DUCKTAIL malware contains general information stealing capabilities with a focus on Facebook Business accounts.
Operators are known to locate and target individuals likely to have access to these accounts, primarily businesses or individuals responsible for ad services, such as members of marketing teams.
LinkedIn is commonly used to identify and engage targets of interest. In one recent incident, a marketing specialist was contacted via LinkedIn messaging about possible freelance work for a major hotel chain.
Figure 1 LinkedIn message from a compromised account.
After some back and forth, the target was sent a password protected .rar archive containing several decoy files and a shortcut payload.
Figure 2 After some discussion, the target is provided a password protected archive.
The freelance advertisement lure is in line with DUCKTAIL’s historical lures, which focus on marketing/advertising plans and job offers (see table below)
In early July 2023, TRU identified several DUCKTAIL cases, including the LinkedIn example above. In the most recent case, the user was sent a .rar file PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.rar which contained a handful of PNG images and a .lnk (shortcut) file masquerading as a PDF.
Figure 3 Contents of the archive.
Examining the .lnk metadata using ExifTool shows it will execute PowerShell commands in a hidden window. The metadata shows a Machine ID “desktop-oalig8v” and Drive Serial Number “7838-8B0E”, both of which are linked to other .lnk samples on public malware repositories.
Figure 4 ExifTool output for the shortcut file.
The PowerShell commands are slightly obfuscated using string replacement methods. Its function is to download two files from impressiondigitals[.]agency:
impressiondigitals[.]agency/files2/LViS Store Marketing.lnk
The decoy PDF is a fake job offer for a Facebook Ads Specialist and replaces the malicious .lnk file on disk and is then opened automatically during the next step.
Figure 5 Fake job offer replaces the shortcut on disk, is opened for the user.
The payload 83ecbfdfa31f9934338a0f5b5edfdcfa is an unsigned .NET executable originally named “HawkEyes”. We’ll call this first stage HawkEyes loader.
Figure 6 File properties for HawkEyes loader.
The first stage payload performs several anti-analysis checks, such as debugging tools (Figure 8), number of running processes and common malware sandbox attributes.
Figure 7 Anti-analysis checks performed. Figure 8 One of the checks looks for a common debugging tool.
After anti-analysis checks are passed, it decompresses data stored in resource file HawkEyes.Res1, modifies it by adding random bytes and saves it to the user’s documents folder with a random number between 50 and 100 appended to it. The new payload is then started.
Figure 9 Loading the second stage payload.
HawkEyes also contains code to create or remove itself from the startup folder and registry.
Figure 10 Persistence options.
The new file is another .NET payload (MD5: DCAF0652E1602ECAEDAB32F078C993C9). This payload appears to contain the majority of the functionality familiar with DUCKTAIL malware.
Figure 11 Second stage payload properties.
DUCKTAIL’s .NET payloads have undergone several changes, and much of the second stage payload is obfuscated. Thankfully its functionality can still be gleaned from memory analysis, where strings are
cleartext, base64 encoded and double base64 encoded.
It collects various information about the system using WMI commands and headless chrome to retrieve network and browser information from whatismybrowser[.]com and ip-api[.]com. This information is stored in “System Information.txt”
Figure 12 Snippet of information obtained from the system.
Browser data is also collected from the victim’s registry via HKEY_LOCAL_MACHINE\Software\WOW6432Node\Clients\StartMenuInternet.
One possible reason for collecting this information is to closely emulate the system to avoid detection by the target website when connecting with stolen account information.
Data sought by this malware is not unlike general purpose stealers. Double base64-encoded memory strings show various files and identifiers tied to browsing information, including saved credit cards, cookies, bookmarks, and encrypted logins. We also see strings associated with decrypting stored web credentials.
Figure 13 Browser data sought by the malware. Text in the red box was double encoded in memory.
This data appears to be stored in various text files and exfiltrated to the C2. This data is exfiltrated via a Telegram Bot at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/sendDocument within an encrypted zip file.
Finally, we see diagnostic output related to collection of Facebook business accounts:
Figure 14 Output related to Facebook account takeover.
DUCKTAIL is known to target Facebook Ad and Business accounts. Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is
generated by which the threat actor can grant themselves access.
DUCKTAIL uses the victim’s machine to interact with the Facebook API endpoints and configure new email addresses. These email addresses are retrieved from the Telegram C2 at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/getUpdates. Accessing this endpoint does not require authentication and email addresses appear to rotate on set intervals.
Figure 15 Snippet of command and control data present on the Telegram bot.
The common structure of these email accounts ([email protected]) would suggest these are generated by threat actors and not compromised accounts.
There are several possibilities for monetizing compromised Facebook Business accounts. Researchers from Deep Instinct recently suggested these accounts could be used to set up imitation business pages and scam unsuspecting customers. Another possibility is that threat actors are pushing white-label products at inflated prices using ads paid for by the victim organization.
How did we find it?
MDR for Endpoint blocked PowerShell code executed by the shortcut file.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the host and alerted the customer while an investigation took place.
What can you learn from this TRU Positive?
DUCKTAIL operators use LinkedIn to find targets of interest, primarily those with possible access to manage Facebook Ads. Users should remain vigilant when communicating on the platform, particularly in private messages.
Social media channels provide an out-of-band method for threat actors to conduct social engineering attacks. These attacks bypass traditional, heavily monitored vectors such as email.
DUCKTAIL is a risk to all users. Its information stealing capabilities open up possible monetization options for threat actors for fraud and other attacks.
Recommendations from our Threat Response Unit (TRU) Team:
Victims should review their Facebook Business users for unauthorized users.
Raise awareness of malware masquerading as legitimate applications, and include in your Phishing and Security Awareness Training (PSAT) program. An effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.
Indicators of Compromise
Indicator
Note
impressiondigitals[.]agency
DUCKTAIL Payloads
83ecbfdfa31f9934338a0f5b5edfdcfa
HawkEyes Loader
42673cf1b1f567fc253faeacd2aa735f
Malicious Shortcut File
82d0715fa0f84a7c45d99139cb2426a9
5feb0735d92802c3230c446a2c27c3b7
58c258ecab10c0f26d7909d02d00fe87
e83c4393e80895f1b94f03c5d58c44cf
73b29193268a6f3dabaeed55bbe06ce6
4371dd1befab05b5b673f69d0b5654f0
65b40cc7cbe61336ef543cf9659a0691
bfda65faf863eaddd063d24c17520b28
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
