{
	"id": "ea27b0aa-3fa7-4b43-9c8a-9a0b43a3e513",
	"created_at": "2026-04-06T00:11:32.344633Z",
	"updated_at": "2026-04-10T03:21:21.054151Z",
	"deleted_at": null,
	"sha1_hash": "1c1f72322d0bebb00f697a237eb665e8b7568d92",
	"title": "Managed XDR Investigation of Ducktail in Trend Micro Vision One",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54315,
	"plain_text": "Managed XDR Investigation of Ducktail in Trend Micro Vision\r\nOne\r\nPublished: 2023-05-09 · Archived: 2026-04-02 11:38:25 UTC\r\nWe looked into the created processes and observed three processes total. Two of these — one was for Microsoft\r\nEdge (Figure 5) and one was for Google Chrome (Figure 6) — are used to gather the IP addresses and geolocation\r\nof the victims.\r\nThe following argument is used for these processes:\r\n--headless --disable-gpu --disable-logging --dump-dom hxxps://getip[.]pro\r\nThe last process (Figure 7) is used to open a PDF file containing the description for the fake job position.\r\nWhile victims are busy reading the spawned PDF file, the malware is already gathering browser credentials and\r\nconnecting to their Facebook domain to gather Facebook-related information. Once the data is gathered, the\r\nmalware stores it in a text file as %User.\r\nTemp%\\temp_update_data_8.txt. It is then exfiltrated using Telegram. Our observation is that the malware updates\r\nand sends the data every 10 minutes. \r\nHunting for other affected machines\r\nOnce the threat connected to Telegram, we decided to search for other affected machines. Using the Telegram IP\r\naddress, we searched for other possible infections in the environment using the Search app function of Trend\r\nVision One™. The search yielded the following processes on a couple of machines:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MS Excel.exe\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\onefile\u003crandom\u003e\\MicrosofOffice.exe\r\nWe verified that all files were similar to the first detected file. Notably, the name of the binaries in this case made\r\nit seem like they were office applications.\r\nSecurity recommendations and Trend solutions\r\nGiven the heavy use of social engineering lures by today’s threat actors, individual users and organizations should\r\ntake great care to avoid selecting links or downloading files from unknown sources, whether they are sent via\r\nsocial media websites such as LinkedIn and Facebook, or through emails. The following best practices can help\r\nusers avoid being victimized by spear-phishing attacks:\r\n1. Users should be cautious of unexpected or unsolicited emails. Before responding to or opening any\r\nattachments or links, users should first verify the sender’s identity.\r\n2. Users should avoid selecting suspicious links, especially if they are from unknown or suspicious sources.\r\nHovering over the link to see the URL can help recipients check if a link leads to a legitimate website.\r\nhttps://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\r\nPage 1 of 2\n\n3. Organizations should ensure that their employees are educated on spear phishing and how to recognize and\r\navoid it. Conducting regular training sessions can help keep everyone informed and up to date.\r\nManaged XDRservices uses expert analytics to analyze vast amounts of data collected from various Trend\r\ntechnologies. XDR employs advanced AI and expert security analytics to correlate data from both customer\r\nenvironments and global threat intelligence, resulting in fewer but more accurate alerts and leading to quicker\r\ndetection. Additionally, Vision One provides a single console that has prioritized alerts and is supported with\r\nguided investigation, making it easier for organizations to understand the full scope of an attack and its impact.\r\nWith Trend One™services, businesses can enhance their resilience with round-the-clock premium support,\r\nmanaged XDR, and incident response services. This service includes automated updates and upgrades for\r\nsolutions, on-demand training, access to best practice guides, and the ability to consult with cybersecurity experts.\r\nTrend Micro Apex One™products combines threat detection, response, and investigation in one solution. It\r\nautomatically detects and responds to many types of threats, such as ransomware and fileless attacks. Apex One\r\nhas advanced tools to detect and respond to attacks and can integrate with security information and event\r\nmanagement (SIEM) systems.\r\nTrend Cloud One™ – Endpoint Security productsand Workload Security productsprotect endpoints, servers, and\r\ncloud workloads through unified visibility, management, and role-based access control. These services provide\r\nspecialized security optimized for your diverse endpoint and cloud environments, which eliminate the cost and\r\ncomplexity of multiple point solutions. Meanwhile, the Trend Cloud One™ – Network Security productssolution\r\ngoes beyond traditional intrusion prevention system (IPS) capabilities, and includes virtual patching and post-compromise detection and disruption as part of a powerful hybrid cloud security platform.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html"
	],
	"report_names": [
		"managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1c1f72322d0bebb00f697a237eb665e8b7568d92.pdf",
		"text": "https://archive.orkl.eu/1c1f72322d0bebb00f697a237eb665e8b7568d92.txt",
		"img": "https://archive.orkl.eu/1c1f72322d0bebb00f697a237eb665e8b7568d92.jpg"
	}
}