Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Severity

High

Analysis Summary

Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a spear-phishing email that contains a malicious attachment or a link to a malicious website. Once the malware infects a system, it establishes a persistent presence and begins to gather information about the system and the network it is connected to.

The malware is capable of stealing a wide range of sensitive data, including passwords, emails, documents, and other confidential information. It can also execute commands and download additional malware to the compromised system.

In October, 2022, the threat actor behind Ducktail expanded its scope by targeting users with any level of access to Facebook Business accounts using a new version of the malware written in PHP. This highlights the importance of being cautious when downloading software or applications from third-party websites, even if they appear to be legitimate.

The new version of Ducktail appears to be distributed through the use of fake installers for Microsoft Office, games, and other software, which are hosted on legitimate file hosting websites such as MediaFire. Once the user downloads and runs the fake installer, the malware is installed on their system, and the attacker gains access to their Facebook Business account.

Ducktail is a highly sophisticated and stealthy malware, making it difficult to detect and remove. It is important for organizations to implement robust security measures, such as antivirus software and firewalls, to protect against this type of threat. It is also important for users to be vigilant and cautious when opening email attachments or clicking on links from unknown sources.

Impact

• Sensitive Information Theft
• Credential Theft

Indicators of Compromise

MD5

• 65d65ab4e7b7620f8afcd8ceff04e998
• cccf1887236ee1f6f377d80ed9e29aae
• beb3d3d11117987c3a2eccbf5a53981a
• 7b08e3c5c1e979b66dcc964fe8880a36

SHA-256

• d522245db4804d606ea7d02b16553f950b6eebb5984ae2eece667648c3aa6385
• 2e37e882336709bfbec27cc4a2d8184f9bb8a0f9c189a841c8b295e101e32b17
• 6b5a67ac819fad6c1d05e38a71e897cde114a795bccafd185f16309774de4fde
• 4d8e41445f1bad472fbf8a9715b017db19e8564e87b0d9649d7939345120ea76

SHA-1

• 6ce725842500d9a69031bd5dfa5765e806c64f10
• 2309b3982e27b5041e5b2d5061c180edaec2b1aa
• 266d6e2afb3b134250bf54fc884a95f1123a67d0
• b962eb6dc0c34a21ee0e41c14990bf4d59300461

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets