The financially motivated Ducktail information stealer has been updated to include new capabilities, according to WithSecure. The threat actors that leverage the information stealer have been expanding their operations to target Facebook business users. The information stealer is likely operated by Vietnamese-speaking individuals and the group has been active since at least 2018. The Ducktail information stealer is newer, and was first identified in the second half of 2021.
The campaign has recently been expanded to deliver the infostealer via Linkedin, however, the operators have shifted techniques to evade detection. The attackers halted the malware distribution in August, WithSecure says, after the group used invalid certificates as a result of public disclosure. The attackers resumed activity in September, launching a new malware variant. Since September, the group has been adapting its techniques frequently to maximize successful attacks.
Read More: Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding