Given the heavy use of social engineering lures by today’s threat actors, individual users and organizations should take great care to avoid selecting links or downloading files from unknown sources, whether they are sent via social media websites such as LinkedIn and Facebook, or through emails. Security recommendations and Trend solutions Notably, the name of the binaries in this case made it seem like they were office applications. We verified that all files were similar to the first detected file. C:\Users\\AppData\Local\Temp\onefile\MicrosofOffice.exe.C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MS Excel.exe.The search yielded the following processes on a couple of machines: Using the Telegram IP address, we searched for other possible infections in the environment using the Search app function of Trend Vision One™. Once the threat connected to Telegram, we decided to search for other affected machines. Note that the URL is already inactive at the time of writing. Upon checking the domain, we found that the malicious file was hosted on iCloud, Apple’s cloud file-hosting service. Through the file name, we were able to gather the contents (Figure 2) as well as the source (Figure 3) of the archive.
Note that we only had access to the download link, so we can’t definitively say how these links were delivered to the target however, it’s possible that LinkedIn messages were used given Ducktail’s historical use of the platform. It is also likely that it mentions a higher leadership position to lure them into accessing the archive. The file name of the sample file, which includes a reference to a job opening for a marketing director (Figure 1), is clearly aimed at marketing professionals. In this blog entry, we present our findings and technical analysis based on these incidents. As a result, we discovered the involvement of a file that gathers user data, such as browser information, IP address, and geolocation, while also connecting to Facebook and Telegram domains. In March 2023, the Trend Micro Managed XDR team investigated several Ducktail-related web browser credential dumping incidents involving different customers. Given its growth and popularity, LinkedIn has increasingly become a preferred option for social engineering schemes and cybercriminal operations. This scheme would allow the threat actor behind Ducktail to take over Facebook business accounts and abuse the ad function for malicious advertising deployments. The perpetrators launched a spear-phishing campaign via LinkedIn direct messages that are aimed at marketing and HR professionals. In July 2022, security researchers discovered an operation called Ducktail, in which threat actors used information-stealing malware to target, individuals and employees who might have access to Facebook business accounts.
0 kommentar(er)
