DuckTail: Dissecting a complex infection chain started from social engineering

Introduction

It is concerning to learn about the increasing use of social engineering tactics to exploit users on social media platforms. Cybercriminals commonly disguise malware as games, music, software, and other media content to deceive users into downloading and installing malicious software on their devices.

One such sophisticated stealer is DuckTail, which was first identified by WithSecure Intelligence in July 2022. It appears that the group behind DuckTail has been active since late 2021 and has been using .NETCore to carry out their attacks. However, according to the Zscaler ThreatLabz Analysis, the group switched to using PHP in August 2022. This demonstrates that cybercriminals are continually adapting their tactics to evade security measures.

The Yoroi ZLab has discovered evidence of new campaigns utilizing different tactics, including more complex delivery mechanisms and victimology, which began in April 2022. It is crucial for individuals and organizations to remain informed about these tactics and take necessary precautions, such as exercising caution when downloading or clicking on links, maintaining up-to-date software and security measures, and educating themselves about the latest security threats.

About the TA

Ducktail appears to be a persistent and consistent threat on the social media landscape, with a particular focus on Facebook. The attacker's objective is to compromise business social media accounts, possibly to carry out additional malicious intrusions.

The threat actor's activity has intensified since the last few months of the previous year when they began creating various campaigns to entice social media users and persuade them to click on malicious links. One such campaign involves a fake website offering photos of models.

The link leads to a media-hosting website claiming to enable the download of this malicious data.

The threat actor behind this persistent malware campaign has taken significant measures to create a resilient and effective malicious infrastructure. The creation of a total of seven fake file hosting domains suggests that the threat actor is attempting to deceive users into believing that they are accessing legitimate files, when in fact they are downloading malware hosted on the true hosting domains.

By hosting their files on multiple domains, the threat actor can ensure that their malware remains available even if one or more of the domains are taken down. Additionally, by using popular hosting services such as Mediafire and Google Cloud, the threat actor may be attempting to blend in with legitimate users and avoid detection.

Furthermore, the threat actor has also created three Facebook pages as part of their infrastructure, indicating that they are using social media platforms to spread their malware. Social media platforms provide an easy way for the threat actor to distribute their malware to many users quickly and easily. The use of Facebook pages may also allow the threat actor to bypass some security measures that are designed to block known malicious websites.

The use of multiple fake and legitimate domains, as well as social media platforms, suggests that the threat actor is highly motivated and determined to spread their malware. The threat actor has invested significant time and resources into creating a resilient and effective malicious infrastructure.

Some of the intercepted fake file hosting domains include:

• download5s.]com
• x-photos.]net
• beautygirls-photos.]com
• beautygirls-picture.]com
• photo-cam.]com
• x-album.]com
• x-albums.]com
• x-pictures.]net
• hxxps://sites.google.]com/view/lonely-in-car

True Hosting Domains:

• s1-download-photos.]com
• jmooreassoc.]com
• meetstaci.]com
• kimhasa.]com
• notodaiya.]com
• karbilyazilim.]com
• shble.]com
• velascasadelaluz.]com
• hxxps://download2388.mediafire.]com/eif5tfodd4ng/hrcyyor418tp8hw/Album_Beautiful_Girl_In_The_Hotels.rar
• romeflirt.]com
• ikejd.]com
• hxxps://storage.googleapis.]com/migc/AlbumNo6128183.zip

Pages:

• camliveproduction
• The-Best-moment-105684484236827
• xphotonetn

Based on these starting points, it is possible to reconstruct the entire infection chain. In the following sections, technical details about all the phases of the infection chain will be provided.

Technical Analysis

We observed two different campaigns of DuckTail, of which one is written in Python and another one is in PHP.

DuckTail Python Version – 1st Variant

The infection starts with a malicious zip archive containing many identical executable files, pretending to be images of a gallery belonging to a model. This archive is retrieved on one of the fake storage websites we identified and reported in the previous section:

An extract of that archive is the following:

These files have all different hashes but the same behavior: use a powershell script to download an InnoSetup Installer (c17524501439d58ffb701907d83e3e20558a445363fa0733bb328e0d69c91441) containing the core of DuckTail.

That archive extracts all the files for the next step of the infection in one of the following paths:

• %AppData%\Local\Packages\Rnews\v13-15
• %AppData%\Local\Mozilla\Conf\v13-15
• %AppData%\Local\Google\Conf\v13-15
• %AppData%\Local\Packages\Conf\v13-15
• %AppData%\Local\Microsoft\Conf\v13-15
• %AppData%\Local\Media\Conf\v13-15

The package of DuckTail contains a series of files:

• rnews.exe (e1517e6bd6169c543083e36c45894a98b8ae592bf9dc265978f198af70a853b1) Ducktail
• curl.exe curl tool
• Rar.exe CLI WinRar tool
• rhc tools
• Python DLLs and files

The program in question was created using Nuitka, a tool that transforms Python modules into a C-based program. This allows the program to operate similarly to CPython, utilizing both "libpython" and its own static C files. Nuitka is a compiler for Python that generates standalone binaries from Python scripts, making them more efficient and faster.

Upon analyzing the program's strings, it appears that the program is specifically designed to target Facebook business accounts. By obtaining an overview of the program's capabilities, we can better understand its intended purpose and how it may potentially harm targeted accounts.

The program described in the previous section steals Facebook-related information through the API, using a specific client ID. More specifically, it obtains the victim token by making a request using the client ID "124024574287414", which happens to be the ID of "Instagram". By using this particular client ID, the program aims to avoid detection, as the victim may not be suspicious when checking their settings and seeing that the request comes from Instagram.

It is worth noting that the use of APIs to extract data is a common tactic used by cybercriminals to gather sensitive information. APIs, or Application Programming Interfaces, are sets of protocols and tools used for building software applications. APIs can provide a convenient way to extract data from various platforms, but they can also be used maliciously to steal data, as in this case.

Moreover, Nuitka, the Python compiler used to generate the program, is a powerful tool that allows developers to create stand-alone executables from Python code. It does this by converting Python modules into C-based programs, which can run faster and use fewer resources than traditional Python code. Nuitka is an open-source project that is actively maintained and used by developers around the world.

Overall, the use of Nuitka and APIs highlights the sophisticated tactics used by cybercriminals to steal sensitive information from their victims. As technology continues to advance, it is crucial for individuals and organizations to stay vigilant and take necessary precautions to protect their data and privacy.

Joining the analysis of DuckTail and the permissions it asks to the API, we figured out it might steal the following information from Facebook:

• Credentials
• Token
• UID
• Complete information about victim account
• 2FA Status
• Recovery Code

And, Chrome, Firefox (Cookies, Passwords, Preferences, Bookmarks, History). Once finished it sends the stolen information to the following C2s:

• hxxps://riospress.]com/rss/news
• hxxps://ro2sport.]com/rss/news

Uses WMI to collect machine information:

• /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get displayName
• Win32_VideoController GET VideoModeDescription
• Win32_VideoController GET Name
• Win32_PhysicalMemory GET Capacity
• Win32_Processor GET Name

The collected information is written to a file called “info.json”.

DuckTail stores the config inside "config.json".

With the folliowing parameters:

DuckTail PHP Version – 4th Variant

The PHP variant of the malware utilizes a technique called DLL sideloading, which involves the use of a legitimate tool named "WDSyncService.exe" from Western Digital. This technique is often used by attackers to bypass security measures since it is harder for antivirus software to detect malicious activities that involve legitimate tools. The WDSyncService.exe tool is used to execute an InnoSetup installer, which is obfuscated through multiple layers to avoid detection.

The DLL loaded by the malware is responsible for loading a specific resource identified by the GUID "{9117cb49-a00b-4379-8d00-32eeaa57627f}". After decryption, this resource contains further instructions that are used by the malware to continue the infection process. The use of encryption makes it difficult for security researchers to analyze the code and understand the exact steps involved in the infection process.

The use of legitimate tools and techniques by attackers highlights the need for organizations to implement strong security measures and keep their software and tools up-to-date. Furthermore, it is important to educate employees about the risks of opening suspicious files and emails, and to establish security protocols that can help prevent attacks. Keeping systems patched and up-to-date, as well as using reliable antivirus software, can also help detect and prevent attacks. In summary, staying vigilant and proactive about security can help prevent malware infections and minimize their impact on an organization.

To elaborate on the previous text, the resource containing the next steps of the infection is AES encrypted, which is a widely used encryption standard. Once decrypted, the resource contains several Base64 encoded strings. Instead of decrypting each string when needed, all the encrypted strings are contained and decrypted in a single resource that is treated as a data structure for the following steps.

This approach of containing and decrypting all the strings at once can be more efficient and harder to detect compared to decrypting individual strings. The use of AES encryption and Base64 encoding can also make it more difficult for security researchers to analyze and understand the malware.

Additionally, the use of DLL sideloading with a legitimate Western Digital Tool named “WDSyncService.exe” is a technique used by the threat actors to evade detection by antivirus software. By using a legitimate program, the malware can blend in with normal processes, making it harder to detect and investigate.

It is worth noting that malware creators use various techniques to evade detection and compromise systems, and it is essential for users to remain vigilant and keep their systems updated with the latest security patches and antivirus software. Regular backups of important data can also help to mitigate the damage caused by malware attacks.

The sample proceeds by decrypting another resource ({9872ec39-1510-4b83-bbab-29deae7a2bde}) which is a portable executable (PE) file. This PE file contains another resource called "subtitle1", which is Base64 encoded. The PE file has four characters before the "MZ" signature that reads "DPAI". Additionally, two characters in the PE file are obfuscated and have been replaced by the symbols "* " and "|".

The method employed to obfuscate the code fragments has been found to be effective in evading the detection of various automated analysis tools. However, it is still possible to manually deobfuscate the code by setting a breakpoint on the ".NET" function "FromBase64String" and comparing the decoded characters with those used for obfuscation. This approach enables the decryption of the code, thereby revealing its true purpose.

It is worth noting that the use of obfuscation techniques is quite common in malware development. The primary objective of employing such methods is to make it harder for analysts and researchers to reverse engineer the code and understand its functionality. The encrypted code can be easily decrypted if the algorithm and the key used for encryption are known. Therefore, obfuscation is used to add an additional layer of protection and make the code more resilient to reverse engineering techniques. However, with careful analysis and the use of advanced tools, it is often possible to deobfuscate the code and uncover its true nature.

After completing all the deobfuscation procedures, another binary sample protected by SmartAssembly emerges, which is a .NET binary. This sample contains encrypted data inside resources, which are again AES encrypted. The binary first checks if there are any arguments passed to it by checking the length of the arguments. If there are no arguments, the binary does not proceed with its execution."

To expand on the text, SmartAssembly is a .NET obfuscation tool used to protect software from reverse engineering. It is designed to make the analysis of the code as difficult as possible, by obfuscating names, methods and even entire classes. The use of encryption, like AES, adds another layer of protection, making it even more challenging to reverse engineer.

The fact that the binary checks for arguments before proceeding with execution suggests that it may be designed to be run in a specific way or with specific parameters. This can make it more difficult to execute and analyze the binary, as the user must understand how to correctly pass arguments to it in order for it to work properly. This can be another effective technique for evading detection by automated analysis tools.

The code protection structure of this sample is quite similar to the previous packer sample. It involves decrypting a list of Base64 strings, which leads to a Base64 encoded Portable Executable (PE). However, this time, an anti-repeat check is performed in the process.

The anti-repeat check is used to ensure that the malware is not installed on the same system multiple times. This is done by checking the system for the presence of a specific file or registry key, which is usually created during the first installation. If the file or registry key exists, the installation is terminated.

Once the anti-repeat check is completed, the malware proceeds with its execution. It typically performs various malicious activities, such as stealing sensitive data, recording keystrokes, and installing additional malware components.

It is worth noting that the use of Base64 encoding and other obfuscation techniques by malware authors aims to evade detection by security software. However, security researchers often use tools and techniques to deobfuscate and analyze such code, enabling them to identify and mitigate the threats posed by such malware.

The code structure of this packer sample is quite similar to the previous one. A list of Base64 strings is decrypted, and then a Base64 encoded PE is extracted. However, this time an anti-repeat check is performed to prevent duplication of the same code. From the list of Base64 strings, the program selects "m.txt." It then checks if this file exists, and if it does, the program returns/exits. Otherwise, it proceeds to decrypt another resource containing a PE that, in turn, contains another resource which is also another Base64 obfuscated PE.

By completing the same self-decoding steps as previously analyzed, we were able to retrieve the final payload, an InnoSetup installer containing other malicious code with the MD5 hash of 8c60a4691f610e325597af83ee2c99945e7eb1cb189fff03cf2264e461fead53.

The final stage of the malware execution involves saving a file named "AYSVDAWHDAADAOC.exe" as "C:\Users\Admin\AppData\Local\Temp" and then executing it. During this process, the malware ensures persistence by creating a scheduled task.

The InnoSetup installer contains two PHP samples - "index.php" and "include.php" - along with "php.exe" and "rss.txt". These PHP samples are obfuscated using the IonCube Loader, a commercial protector that is commonly used to ensure copyright protection for specific web applications built using the PHP framework.

The "rss.txt" file is a Base64-encoded PE that is obfuscated using the same technique of missing characters. In this case, the missing characters are "*", "|", and "+". By examining other Base64-encoded PEs, we can easily determine that these missing characters are respectively replaced by "A", "B", and "g". Once decoded, this file returns another component that is written in Rust and has the MD5 hash value of "16ad22f8ab4f99a03bc2b68bf3314397f30f67a01bb5a283020e85979b811d93".

Memory analysis of the malware also reveals the C2s (Command and Control servers) of the malicious infrastructure. These C2s are:

• rapadtrai.]com
• graeslavur.]com
• caseiden.]com
• te5.techgeetam.]com
• sensetria.]com

It is important to note that these C2s may change over time as the malware evolves and adapts to new environments.

Decoding an unprotected version

Regrettably, we were unsuccessful in our attempt to decrypt IonCube, but we discovered additional samples that were not encrypted and resolved to conduct further analysis based on these samples. Among these samples is "index.php" (5bac0b4ee00c1cb9a5b2969a18077ab74257790bd2610224253d3faf58714f43), which contains the DuckTail code. The behavior of the code is consistent across all its variants, with its primary goal being the collection of Facebook account information belonging to its victims.

include.php (8fd4910dd8b05c9ea617f9b86f31aac5663db12495e9295ccaf19e3d58b8b3b4) establishes persistence using the task scheduler and decodes “rss.txt” executable. In this way, the malicious implant guarantees itself a mechanism to download. 

The following is the function responsible for decoding and deobfuscating the payload contained in rss.txt and for getting the current time by executing this payload, this time is used for calculating the task interval.

The method used to calculate the task interal is the following:

Rss.txt – Rust Chrome key decoder

The Rust payload is also responsible for decrypting the Chrome encrypted_key. It is encrypted using the DPAPI, which is a function that can be called using the API function CryptUnprotectData. The following figure shows the routine where the Chrome encrypted_key resides and the payload output, with the encrypted_key passed as an argument for the /c parameter.

Conclusion

Tracking malicious infrastructures is a critical aspect of cybersecurity as it enables professionals to identify the source of an attack and take necessary actions to prevent future attacks. Malware analysis is an essential process that helps to uncover the hidden tactics and techniques used by attackers. Understanding the methods of cybercriminals can assist cybersecurity professionals in developing more effective security measures to detect and mitigate potential threats. This can include blocking IP addresses, shutting down servers, and identifying the attacker's location.

Tracking malicious infrastructures can also help in sharing threat intelligence within the cybersecurity community. The cyber threat landscape is constantly evolving, and by sharing information, organizations and security experts can stay informed and up-to-date with the latest threats. This can help other organizations and security experts to take necessary precautions and protect themselves against similar attacks.

Furthermore, tracking malicious infrastructures can help in developing new security measures and improving existing ones to prevent future attacks. By analyzing and understanding the tools and techniques used by attackers, cybersecurity professionals can develop more effective security measures that can detect and mitigate potential threats. This can include implementing intrusion detection and prevention systems, deploying security patches, and educating employees about cybersecurity best practices.

Overall, tracking malicious infrastructures is a vital component of any comprehensive cybersecurity strategy. By doing so, organizations can strengthen their security posture, protect their assets, and prevent potential cyber-attacks. Cybersecurity professionals should prioritize malware analysis and invest in the necessary resources to ensure that they can effectively identify and track malicious infrastructures. Through collaboration and knowledge-sharing within the cybersecurity community, organizations can stay ahead of the constantly evolving cyber threat landscape and protect themselves against potential threats.

Indicators of Compromise

DuckTail Campaign:

• Fake File Hosting Domains:
  • download5s.]com
  • x-photos.]net
  • beautygirls-photos.]com
  • beautygirls-picture.]com
  • photo-cam.]com
  • x-album.]com
  • x-albums.]com
  • x-pictures.]net
  • hxxps://sites.google.]com/view/lonely-in-car
• True Hosting Domains:
  • s1-download-photos.]com
  • jmooreassoc.]com
  • meetstaci.]com
  • kimhasa.]com
  • notodaiya.]com
  • karbilyazilim.]com
  • shble.]com
  • velascasadelaluz.]com
  • hxxps://download2388.mediafire.]com/eif5tfodd4ng/hrcyyor418tp8hw/Album_Beautiful_Girl_In_The_Hotels.rar
  • romeflirt.]com
  • ikejd.]com
  • hxxps://storage.googleapis.]com/migc/AlbumNo6128183.zip
• Pages:
  • camliveproduction
  • The-Best-moment-105684484236827
  • xphotonetn

DuckTail Python:

• fcec8d28e17f7af13d0961eb8b8d25eaf0e76e50fdc8cd4e2e79de7d6b67d25d (Archive)
  • Downloaders:
    • 2320b045e831ee38c9abd1b872deb25c7d26d3437ba21491c06b8fc1a18143ac
    • 365ed9b3ab7d369a319a2ebe1da9953ab6ad4f9878f82aba3d30a47e9e0c60fb
    • 3e242475d95322df510e2437f5a1f319d8ee442dbc649fa1a443fd478b3e7876
    • 418d02b2f8013746f9f06e328ad4040063db887d85de141da39a7e7513f0459a
    • 446f5be2028492615b5b51d9de05e67e464a9ca26b0b47972dd43179cc8cb6e0
    • 50d55c4c79eaddf5368bdb9b60a68f35ed42f17ccb43812c95903306cdc126a9
    • 5a75df284314b0edcf9534c5f8a2d95013f73803fdbc56afb970af53cd9e0479
    • 65d4046b5a85327da285c05d72869c41aac8952e0fb8a44babe897528a674e58
    • 6d29ac0626b6908d938fe0d6a8d84b830c524d4b3f24255775d05a66f57c22ec
    • 718e88759a7e2ae40309b5c38de18a667305acafee07dfcdaee180c46bdc514c
    • 74955b4db49ea399fac96d09211152ead722016218dfaca4561a50990af1caa6
    • 74b25e1e2d33b666df5eb0fb26eb808f93faf78942f5f253d0e415753d048b89
    • 78380b620294ab60b558d0de3e38d479fa965eca1d1e38a9f97fbef62bfd8bd9
    • 898650ac940c4a6711fe81bef0c118f141305188a36431560fa7a6a3f299fdf0
    • 8ee067b7c23111cda02d5c5a4f6f10216d553dad90afaaa3b056869d74e8dd0b
    • 91318b6b2a8efeb759cb49f7cab6cc5b1bca7df41a9ccc378900d30c0ad25e4a
    • 91cd20e848f67432ce4e69449e8679f6a405f9087adae41510eb607e620d6177
    • a98f225699d8ff6875e08fb2f12236f6fc1f463d61aa1ace1cadb8deded60d0d
    • b59ee8c9242fd16971cf15ce4d8308944b1990b0c0cfaf96da1f83a6f6d6bf25
    • bb73253555f518c3646356da5b8a3747a541a8a48b72827e4dcf892cde94e094
    • c00e1239a781276f9be2f8920cc0a13367548b7638b7d483462c7c7b6daf6878
    • c636823a07b8498ea0496ff17c501ee69cf14ae18cb881ccc5721fc9b218cac4
    • ddceae97a3e0cbf28731203aa2d2067deab155b2601432e122bbfca712713285
    • f390c68389331be62695464e049df845b750bd03d82e4b6809bdc15a9439df44
    • f45711466e9182d606da6711318a6e6c14688a09636945b41a26d31d8056cb5f
    • f95d284a862662195c351db2cdb36d371a105585d783e7289d73cb07a442c4ba
    • f9691281cd8d6c2d5ebee974afb54024b67ae71c8a720e3fc37d5a7ec4b8f669
• c17524501439d58ffb701907d83e3e20558a445363fa0733bb328e0d69c91441 (InnoSetup Installer)
  • e1517e6bd6169c543083e36c45894a98b8ae592bf9dc265978f198af70a853b1 (DuckTail)

DuckTail PHP:

• 0f765b4fbeda401e5b4ff34cd470c0fe8d77eafad73b68852e59e3e6abb182cf (Archive)
  • 0fad31fc16beeb24ca924a94614f3905f5c463a972ae395eec58614d014e73ad (Malicious DLL)
  • cb807472bb6d4d1113fcbc209d6a08fa80ff9e53c83b1aa37f9d6f549affd68c (Legitimate WDSyncService Tool)
• 8c60a4691f610e325597af83ee2c99945e7eb1cb189fff03cf2264e461fead53 (InnoSetup Sample)
  • 16ad22f8ab4f99a03bc2b68bf3314397f30f67a01bb5a283020e85979b811d93 (Rust Sample)
  • 4abdb3f59e3433b2d410106c75d4711574e0b61b0ef92653b9971154d9841a4f (index.php)
  • 52bd6d7d8c9fe087ba64adafbfa623e49b69425829b8c9c8a8eadb2e06669892 (include.php)
• 5bac0b4ee00c1cb9a5b2969a18077ab74257790bd2610224253d3faf58714f43 (index.php not obfuscated)
• 8fd4910dd8b05c9ea617f9b86f31aac5663db12495e9295ccaf19e3d58b8b3b4 (include.php not obfuscated)
• C2:
  • rapadtrai.]com
  • graeslavur.]com
  • caseiden.]com
  • te5.techgeetam.]com
  • sensetria.]com

This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB