New Windows PHP Malware Targets Facebook Accounts and Cryptocurrency Wallets
A new iteration of the Ducktail phishing campaign is spreading PHP malware that can access and steal users’ Facebook accounts, browsing data, and crypto wallets.
PHP Phishing Malware Targets Facebook Users
An updated PHP-based phishing script is targeting Facebook users’ accounts, according to a Bleeping Computer report. The malware is a variation of the Ducktail malware. In addition to Facebook accounts, the program may also access browser data and cryptocurrency wallets.
Cybersecurity researchers from WithSecure first identified the Ducktail malware in July, which primarily targeted people and companies with business Facebook accounts. The malware had been developed for over a year and was then disseminated via email.
The attackers employ social engineering techniques and seek targets through the professional networking site LinkedIn. The malware is distributed in the form of an archive, including images, videos, and documents. Once the file has been downloaded and opened, browser cookies are read and transmitted to the hacker’s server.
In contrast, the latest version of Ducktail has replaced the.NET Core malware with a PHP-based variant. The cloaked virus is hosted in ZIP format on reputable file-hosting platforms. The malware is extracted to the%LocalAppData%PackagesPXT folder in the background while the victim is confronted with fake compatibility check pop-ups.
The folder is home to the local interpreter for PHP, known as PHP.exe, as well as several scripts and tools that are designed to steal information.
According to the report, the malware can then add scheduled tasks to be executed at regular intervals on the compromised device. Simultaneously, a produced TMP file launches the stealer component. The stealer component is encoded in Base64 and decrypted directly in memory to reduce the likelihood of discovery.
The Ducktail malware targets comprehensive Facebook account information, browser data, cookies, crypto wallet, account data, and system data.
Previous Ducktail campaigns transferred stolen data to Telegram. However, the most recent campaign sends data to a JSON website, which holds account tokens and data essential for on-device fraud.
Developers Targeting Personal Accounts
In addition to targeting business accounts, Ducktail also targets accounts belonging to individual users. When business accounts are compromised, an attempt is made to gain access to payment method information. Ducktail’s persistent development implies that the malware’s developers will continue working on the program to produce new variants. As usual, it is prudent to be vigilant of messages from unknown senders and thoroughly analyze files before downloading them to prevent the installation of malware.
A few weeks earlier, Facebook’s parent company, Meta, alerted over 1 million of its users that their login information might have been compromised by malicious apps. It was further revealed that Meta’s researchers had discovered more than 400 malicious Android and Apple iOS apps this year that were meant to steal users’ Facebook login credentials.
Meanwhile, Meta has been scrutinized for its privacy practices for years. The Federal Trade Commission accepted a $5 billion settlement with Facebook in 2019 after reports revealed that the political firm Cambridge Analytica inappropriately accessed the personal data of millions of Facebook users.