New PHP Version of Ducktail Malware Puts Facebook Users at Risk

Facebook Business account holders are now exposed to a new threat, which comes in the form of a PHP variant of the Ducktail malware program.

ZScaler, a cloud security company, reported this new finding in a ZScaler blog post on October 13th. The new PHP version is being spread among devices by “pretending to be a free/cracked application installer”. It also targets various platforms for infection, including Telegram and Microsoft Office apps.

In this new version of Ducktail, the operator has altered the malware execution method, converting a PHP script instead of the previously used .Net binary. After the app is installed, the victim will be told that it is “checking application compatibility”, when, in reality, two .tmp files are being generated.

The second of these two files is capable of dropping the malicious code. After this, the file “executes two processes” to achieve both persistence and steal data.

Ducktail Malware Has Been Around Since 2021

The original version of Ducktail malware was first discovered in late 2021 and was connected to a Vietnamese operator who was using it to hack Facebook Business and Ads Manager accounts.

In the aforementioned blog post, ZScaler discussed the original Ducktail strain, which could “manipulate pages and access financial information”. The attacks were recognized as highly targeted and even had the ability to bypass Facebook’s security defenses. Users with a high status in a company were targeted in these attacks, as they were granted advanced permissions.

Ducktail can also make an attempt to access two-factor authentication codes to evade this additional layer of account protection. Various kinds of data are targeted by the Ducktail infostealer, including payment details, email addresses, and client information.

User Information Is Still at Risk with the PHP Infostealer

The PHP variant of the Ducktail infostealer is also after sensitive data that can be exploited for financial gain. Even individuals with protective login measures may be at risk.

It seems that payment information is also the focus of this new PHP Ducktail malware, as well as email addresses, payment records, funding sources, and account statuses.

Both Ducktail Versions Are Highly Dangerous

The original Ducktail malware and its PHP variant share many similarities and pose a significant threat to Facebook Business accounts and the sensitive data they harbor. Ducktail’s creator may continue to create subsequent versions of their original code to further improve the execution of their attacks. Time will tell whether this turns out to be the case.