Rewterz Threat Alert – An Emerging Ducktail Infostealer

Rewter Threat Advisory – CVE-2023-21554 – Microsoft Windows Message Queuing Vulnerability

April 13, 2023

Rewterz Threat Advisory – CVE-2022-27926 – Zimbra Collaboration Vulnerability Exploit in the Wild

April 13, 2023

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Severity

High

Analysis Summary

Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a spear-phishing email that contains a malicious attachment or a link to a malicious website. Once the malware infects a system, it establishes a persistent presence and begins to gather information about the system and the network it is connected to.

The malware is capable of stealing a wide range of sensitive data, including passwords, emails, documents, and other confidential information. It can also execute commands and download additional malware to the compromised system.

In October, 2022, the threat actor behind Ducktail expanded its scope by targeting users with any level of access to Facebook Business accounts using a new version of the malware written in PHP. This highlights the importance of being cautious when downloading software or applications from third-party websites, even if they appear to be legitimate.

The new version of Ducktail appears to be distributed through the use of fake installers for Microsoft Office, games, and other software, which are hosted on legitimate file hosting websites such as MediaFire. Once the user downloads and runs the fake installer, the malware is installed on their system, and the attacker gains access to their Facebook Business account.

Ducktail is a highly sophisticated and stealthy malware, making it difficult to detect and remove. It is important for organizations to implement robust security measures, such as antivirus software and firewalls, to protect against this type of threat. It is also important for users to be vigilant and cautious when opening email attachments or clicking on links from unknown sources.

Impact

Sensitive Information Theft
Credential Theft

Indicators of Compromise

MD5

920ef2a079ce71b0918e15448b850d26
c2ec0d9a228a2c6d9e593c4650b1f15c
164ddf442a2a874c97b88cc35d2518d5
185c73e96739d5d0a38c253ad76757d0

SHA-256

975136963065a46fdbcbb7a12463059311e41b21c7a20c7a9da2dc0fb68a1fb0
5ded10e66e6bc519ff3d5355c1b99a4e8ccb27b61f80e31bedb3265fe431790d
fba663b3dbd45e1ca43b9c79bbdc483f73d1757b7092407fc80745014cb63a15
5d0bb5ba8c7556b6ab1a7b606c58423424c0ac30b22383510020b1d1d07daf5a

SHA-1

2618bc5430687e7757f314f9f12cff3005181f82
3dff2ef324d435a174321af8491867c741946096
339fdfb886df2704f6c030c3a3c0b75cd7f26a1a
e51ca0eb09fdf0c2cf87703164119df054aec7a8

URL

https://techvibeo.com/files2/Corridor%20NYC%20Project%20Plan.lnk
https://techvibeo.com/files2/LBusiness%20Plan%202023.lnk

Remediation

Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by Aurora Stealer and other types of malware.