Research Saturday 10.7.23
Ep 302 | 10.7.23

Targets from DuckTail.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities. Solving some of the hard problems and protecting ourselves in a rapidly evolving cyber space. Thanks for joining us. [ Music ]

Deepen Desai: Multiple Vietnam-based threat actors will share identical tactics, techniques, and procedures based on what we have seen.

Dave Bittner: That's Deepen Desai. He's global CISO and Head of Security Research and Operations at Zscaler. The research we're discussing today is titled "A Look into DuckTail." [ Music ]

Deepen Desai: They also share the same motivation. I mean, their goal is to gain access to social media, business accounts, specifically the ones belonging to digital marketers.

Dave Bittner: Well let's walk through this together. I mean, how would someone find themselves victimized by DuckTail?

Deepen Desai: Yeah, so the malware involved in this case, DuckTail malware, it basically steals saved session cookies from browsers. And with code specifically tailored to take over, like I said, social media accounts. But they're targeting Facebook business accounts. The malware actually spreads using LinkedIn. So if you look at it, I mean all these vectors that I'm going to describe, these are all legitimate services. So they abuse cloud services to host [inaudible 00:01:50]. Think of Dropbox, think of iCloud. They abuse GitLab to fetch CNC information. They abuse LinkedIn for social engineering victims and spread the malware. And then they're ultimately targeting social media business accounts where you should think of Facebook, Google, TikTok.

Dave Bittner: Wow, they're spreading it around. Right? Alright, so someone is out there minding their own business and they find themself targeted by DuckTail. What's the first thing that DuckTail's going to do.

Deepen Desai: Yeah, so even in the way they're targeting. Unfortunately, again, this is a group which is targeting a lot of the folks that did go through the tech layoffs as well that occurred in 2022, 2023. These are folks that are also in the digital market space. So what we saw was, in fact, they're also weaponizing the recent popularity of generative AI platforms. Apps like ChatGPT and Google Bard AI. If you look at the research team published, there are these fake pages that are being set up. Which is lowering victim onto them. Once the victim falls for it, coming back to your question, the malware will basically get installed, establish persistence, and the goal over there is primarily to get access to these business accounts that the victims have access to. And once they get that, they're then again spreading, from that point forwards, following financial scams and gain financial benefits out of it.

Dave Bittner: And they're starting out here with some social engineering, is that the first step?

Deepen Desai: The starting point is indeed social engineering. And it was just fascinating to see how many different things that these guys are trying to take advantage of. So, we literally saw, hey, maximize your ROI with ChatGPT for Facebook advertising. Right? That's one of the pages that they stood up. Again, with the target being Facebook business accounts. The victim sees this, falls for it, that's one of the ways in which they will get them. We saw a similar thing being done for Google Barred, ClickMinded, and a few other apps.

Dave Bittner: And ultimately, they're putting a package on the victim's computer here and tricking them to execute it?

Deepen Desai: That is correct, yeah. So, the malware gets installed on the victim's machine. That malware, landing through these social engineering tactics that I just described, once the malware is installed, it will establish persistence. It will further steal victims' information, which will include Facebook, you know, and then it will also leverage the channel that I described to communicate back with the threat actor. Which involves GitLab, which involves several cloud services where the nasty stuff is hosted. [ Music ]

Dave Bittner: What is your sense here in terms of any kind of infrastructure that the DuckTail folks may have up and running?

Deepen Desai: I mean, if you think about it, 70 to 80%, or even slightly more, their infrastructure is using these legitimate service providers. And then this is where our team does collaborate with many of these vendors. When we see activity like this, we do provide TTPs, intelligence IOCs, that we flagged as part of our tracking and coverage activities. So we have two goals. One is obviously to make sure our customers that rely on Zscaler are protected against these TTPs, but then at the same time, we do work with these vendors to make sure some of these accounts are taken down and they will also perform victim notification.

Dave Bittner: You mentioned that they seem to be after business Facebook accounts, for example. What do they want that for? What's the ultimate goal here?

Deepen Desai: The ultimate goal is to perform financial scams. You know, transfer money that exists in that business account as well. They're in it for money, right? So raiding business and ad accounts. They will target, like I said, Facebook, TikTok, these stolen social media business accounts are also then further sold. You know, in the underground forums. They make money out of giving access to the other adversaries as well that are part of that group.

Dave Bittner: It seems to me like they're employing a wide range of tactics here. And as you say, taking advantage of social media platforms, one of the things you and your team highlighted here was they'll use a compromised LinkedIn account for communication, for example.

Deepen Desai: Exactly. So, yeah, using those legitimate channels is what is helping them. Unless the organizations are -- so, think of an employee that falls for it. The organization needs to be doing TLS inspection to even get hold of these payloads when they're in transit between a Dropbox or an iCloud going to the employee laptop. This is also where when it goes back to the C&C server, the communication is happening over TLS as well. So all of these, unless you're doing TLS inspection, you will be blind to the payload getting in, the data leaking, the exfiltration of your credentials information that the malware is able to extract from the victim's machine. You need to have a strategy in place to prevent this.

Dave Bittner: And then additionally, they're selling some of these credentials on underground markets?

Deepen Desai: Exactly. So that's one way they're making money, right? They're selling this to the next level adversaries which will then make use of these stolen credentials to perform further multi-stage attacks.

Dave Bittner: So what's your estimation here of the sophistication of this actor? Does it seem as though they have substantial skills?

Deepen Desai: I would say they are definitely moderately skilled. Look at the fact that, I mean, the image that we published as part of our research, the fact that they're trying to evade, you know, detections from majority of the vendors by leveraging tools, techniques, and procedures that are fairly effective. Also the fact that we've all been talking about since early this year, obviously, generative AI, we're going to see more and more malware authors starting to take advantage of it. While they're not directly using ChatGPT and Bard AI here, but they're definitely jumping on the hype cycle, right? Where they're leveraging these apps to lure victims into installing malicious software.

Dave Bittner: So what are your recommendations here for folks to best protect themselves?

Deepen Desai: I'll probably be kind of repeating myself, but very, very important for organizations to perform TLS inspection if you were to get hit by a campaign involving DuckTail malware. The GPTs that we just described. Unless you're doing TLS inspection, you're basically blind to the payload getting in [inaudible 00:09:43] as well as the C2 activity that will happen once you have established persistence. Number two, you need to have proper users to have segmentations of the malware. Even if it were to download a stage 2 payload that has lateral propagation embedded in it, you are able to contain that blast radius. On the end user side, I mean, you have to be the best advice always is please be cautious. Just the fact that the payload is hosted on Dropbox or iCloud or Google Drive doesn't mean, you know, it's legitimate. So be cautious, pay attention to the source, and how you're getting some of the information. Pick up the phone. If you know it's from someone and you're expecting it but you're still feeling fishy about it. Pick up the phone and talk to them before you take action. [ Music ]

Dave Bittner: Our thanks to Deepen Desai for joining us. The research is titled "A Look Into DuckTail." We'll have a link in the show notes. [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.