November 14, 2023 at 03:27AM
Vietnamese threat actors behind the Ducktail stealer malware targeted marketing professionals in India between March and October 2023, aiming to hijack Facebook business accounts. Unlike previous campaigns, this one used Delphi as the programming language. The attackers used sponsored ads on Facebook to propagate malicious ads and deploy malware, gaining unauthorized access to Facebook Business accounts for financial gain. They employed a deceptive method of sending archive files disguised as PDFs to potential targets looking for a career change. The malware ultimately hijacks the accounts and sends information to a server in Vietnam. Google has filed a lawsuit against individuals in India and Vietnam for spreading malware via Facebook by capitalizing on public interest in generative AI tools.
Key Takeaways from Meeting Notes:
– Vietnamese threat actors behind the Ducktail stealer malware conducted a campaign targeting marketing professionals in India to hijack Facebook business accounts.
– Unlike previous campaigns, this one used Delphi as the programming language instead of .NET applications.
– Ducktail, Duckport, and NodeStealer are part of a cybercrime ecosystem operating out of Vietnam, using sponsored ads on Facebook to propagate malicious ads and deploy malware.
– The attacks focus on users with access to a Facebook Business account, allowing the fraudsters to place advertisements for financial gain.
– Potential targets were sent archive files disguised as PDFs, containing a malicious executable.
– The malicious file saves a PowerShell script and a decoy PDF document locally in Windows.
– The script opens the decoy PDF, pauses, and terminates the Chrome browser process.
– The parent executable downloads and launches a rogue library, which scans specific folders for shortcuts to a Chromium-based web browser.
– The browser’s LNK shortcut file is altered to launch a rogue extension masquerading as the Google Docs Offline add-on.
– The extension sends information about open tabs to an actor-controlled server and hijacks Facebook business accounts.
– Google has filed a lawsuit against unknown individuals in India and Vietnam for using Bard lures to spread malware via Facebook and steal social media login credentials.
– The defendants distribute links to their malware through social media posts and ads, purporting to offer downloadable versions of Bard or other Google AI products.
– Users who click on these links are redirected to external websites where RAR archive files download to their computers.
– The archive files contain an installer that installs a browser extension capable of stealing social media accounts.
– Meta previously detected and blocked over 1,000 unique URLs related to deceptive browser extensions claiming to offer ChatGPT-related tools.
Please let me know if there’s anything specific you would like more information on or if there are any specific action items to be derived from these meeting notes.