On October 13th, 2022, ZScaler, a cloud security firm, published a blog post detailing this latest discovery. The new PHP version is being distributed by "pretending to be a free/cracked program installer." It also targets numerous platforms, such as Telegram and Microsoft Office applications.
This revised version of the malware uses a PHP script instead of the previously used .Net binary to execute the malware. When the app is installed, the victim is told it is "checking application compatibility." In reality, two .tmp files are generated. The file then executes two processes to steal data.
The original version of the Ducktail malware was discovered in late 2021. A Vietnamese operator used it to hack into Facebook Business and Ads Manager accounts.
The original strain of Ducktail, as reported by ZScaler, has the ability to steal sensitive financial information and manipulate website content. These cyberattacks were exceptionally well-planned and managed to evade Facebook's security measures. The attacks targeted high-ranking employees with advanced permissions in a company.
Additionally, the Ducktail malware can attempt to access two-factor authentication codes to bypass extra account security. Ducktail also targets various data, such as client information, email addresses, and payment card information.
Similarly, the PHP variant of Ducktail malware is intent on stealing sensitive data that can be exploited for financial gain. In addition to payment information, this variant of PHP Ducktail malware also targets email addresses, payment records, funding sources, account statuses, and funding records.
Ducktail's PHP variant and original Ducktail share many similarities, making them a significant threat to Facebook accounts. To enhance the effectiveness of Ducktail's attacks, Ducktail's developers are likely to continue developing future versions of their original code. Therefore, users should be vigilant in protecting their account information and be aware of the dangers of this malware.