CyberWire Daily - Targets from DuckTail. [Research Saturday]
Episode Date: October 7, 2023Deepen Desai from Zscaler joins to take a look into their research about "DuckTail." In May of 2023, Zscaler ThreatLabz began an intelligence collection operation to decode DuckTail’s maneuvers. Thr...ough an intensive three-month period of monitoring, Zscaler was able obtain unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. The research states "DuckTail threat actors primarily target users working in the digital marketing and advertising space. Unfortunately, the tech layoffs occurring in 2022 and 2023 introduced more eager candidates into the digital market - meaning more prime targets for DuckTail." The research can be found here: A Look Into DuckTail Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
This involves multiple Vietnam-based threat actors
who share very identical tactics, techniques, and procedures
based on what we have seen.
That's Deepin Desai.
He's Global CISO and Head of Security Research and Operations at Zscaler.
The research we're discussing today is titled,
A Look Into DuckTale.
They also share same motivation. I mean, their goal is to gain access to social media, business accounts, specifically the ones belonging to digital marketeers.
Well, let's walk through this together.
I mean, how would someone find themselves victimized by DuckTale?
Yeah, so the malware involved in this case, DuckTale malware,
it basically steals saved session cookies from browsers
and with code specifically tailored to take over, like I said, social media accounts,
but they're targeting Facebook business accounts. The malware actually spreads using LinkedIn. So
if you look at it, I mean, all of these vectors that I'm going to describe, these are all legitimate
services. So they abuse cloud services to host payload. Think of Dropbox, think of iCloud.
They abuse GitLab to fetch CNC information.
They abuse LinkedIn for social engineering victims
and spread the malware.
And then they're ultimately targeting
social media business accounts
where you should think of Facebook, Google, TikTok.
Wow, they're spreading it around.
All right, so someone is out there minding their own business and they find themselves
targeted by DuckTale. What's the first thing that DuckTale is going to do?
Yeah, so even in the way they're targeting, Dave, unfortunately, again, this is a group which is targeting a lot of the folks that did go through the tech layoffs as well that occurred in 2022, 2023.
These are folks that are also in the digital market space. what we saw was, in fact, they're also weaponizing the recent popularity of generative AI platforms,
apps like ChatGPT and Google Bard AI.
If you look at the research team published,
there are these fake pages that are being set up,
which is lowering victim onto them.
Once a victim falls for it, coming back to your question, the malware will
basically get installed, establish persistence. And the goal over there is primarily to get access
to these business accounts that the victims have access to. And once they get that, they're then again spreading from that point onwards,
performing financial scams, and then gain financial benefits out of it.
And they're starting out here with some social engineering. Is that the first step?
The starting point is indeed social engineering. And it was just fascinating to see how many different things that these guys are trying to take advantage of.
So we literally saw, hey, maximize your ROI with ChatGPD
for Facebook advertising.
That's one of the pages that they stood up,
again, with the target being Facebook business accounts.
The victim sees this, falls for it,
and that's one of the ways in which they will get them.
We saw a similar thing being done for Google Board,
ClickMinded, and a few other apps.
And ultimately, they're putting a package on the victim's computer here
and tricking them to execute it?
That is correct, yeah. So the malware gets installed on the victim's computer here and tricking them to execute it? That is correct, yeah.
So the malware gets installed on the victim machine.
That malware, I mean,
landing through these social engineering tactics
that I just described,
once the malware is installed,
it will establish persistence.
It will further steal victims' information,
which will include Facebook.
And then it will also leverage the channel that I described
to communicate back with the threat actor,
which involves GitLab,
which involves the cloud services
where the next stage stuff is hosted. on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI
stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
What is your sense here in terms of any kind of infrastructure that the DuckTale folks may have up and running?
I mean, if you think about it, 70% to 80%, or even slightly more,
of their infrastructure is using these legitimate service providers.
And this is where our team does collaborate with many of these vendors. When we see activity like this, we do provide TTPs, intelligence IOCs
that we flagged as part of our tracking and coverage activity.
So we have two goals.
One is obviously to make sure our customers that rely on Zscaler are protected against
these TTPs.
But then at the same time, we do work with these vendors to make sure some of these accounts
are taken down and they will also perform victim notification.
You mentioned that they seem to be after business Facebook accounts, for example.
What do they want that for? What's the ultimate goal here?
The ultimate goal is to perform financial scams,
transfer money that exists in that business account as well.
They're in it for money.
So rating business and ad accounts,
they will target, like I said, Facebook, TikTok.
These stolen social media business accounts
are also then further sold on the underground forums.
They make money out of giving access
to the other adversaries as well that are part of that group.
It seems to me like they're employing a wide range of tactics here.
I mean, and as you say, taking advantage of social media platforms.
One of the things you and your team highlighted here was they'll use a compromised LinkedIn
account for communication, for example.
Exactly. So yeah, using those legitimate channels
is what is helping them,
unless the organizations are...
So think of an employee that falls for it.
The organization needs to be doing TLS inspection
to even get hold of these payloads
when they're in transit between a Dropbox
or an iCloud going to the employee laptop.
This is also where when it goes back to the CNC server, the communication is happening
over TLS as well.
So all of these, unless you're doing TLS inspection, you will be blind to the payload
getting in, the data leaking out, the exfiltration of your credentials and information that the
malware is able to extract from the victim's machine. You need to have a strategy in place
to prevent this. And then additionally, they're selling some of these credentials on underground
markets? Exactly. So that's one way they're making money. They're selling this to the next level adversaries,
which will then make use of these stolen credentials
to perform further multi-stage attacks.
So what's your estimation here of the sophistication of this actor?
Does it seem as though they have substantial skills?
I would say they're definitely moderately skilled.
Look at the fact that, I mean, the image that we published as part of our research,
the fact that they're trying to evade detections from the majority of the vendors
by leveraging tools, techniques, and procedures that are fairly effective.
tools, techniques, and procedures that are fairly effective.
Also the fact that, we've all been talking about since early this year, RSA on all generative AI,
we're going to see more and more malware authors
starting to take advantage of it.
While they're not directly using ChatGPD and BARD AI here,
but they're definitely jumping on the hype cycle,
where they're leveraging these apps
as well to lure victims into installing malicious software. So what are your recommendations here
for folks to best protect themselves? Yeah, and I'll probably be kind of repeating myself, but
very, very important for organizations to perform TLS inspection. If you were to get hit by a campaign involving DuckTale malware,
the TTPs that we just described, unless you're doing TLS inspection,
you're basically blind to the payload getting in your environment,
as well as the C2 activity that will happen once you have established persistence.
Number two, you need to have proper user-to-app segmentations of the malware.
Even if it were to download a stage two payload
that has lateral propagation embedded in it,
you're able to contain that blast radius.
On the end user side,
the best advice always is please be cautious.
Just the fact that the payload is hosted on Dropbox
or iCloud or Google Drive doesn't mean
it's legitimate.
So be cautious,
pay attention
to the source
and how you're getting some of the information.
Pick up the phone if you know it's from someone
and you're expecting it
but you're still
feeling fishy about it,
pick up the phone and talk to them before you take action.
Our thanks to Deepan Desai for joining us.
The research is titled A Look Into DuckTale.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner. Thanks for listening.