# DuckTail: Dissecting a complex infection chain started from social engineering **[yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/](https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/)** March 29, 2023 03/29/2023 ### Introduction It is concerning to learn about the increasing use of social engineering tactics to exploit users on social media platforms. Cybercriminals commonly disguise malware as games, music, software, and other media content to deceive users into downloading and installing malicious software on their devices. [One such sophisticated stealer is DuckTail, which was first identified by WithSecure Intelligence in July 2022. It](https://www.f-secure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf) appears that the group behind DuckTail has been active since late 2021 and has been using .NETCore to carry out their attacks. However, according to the [Zscaler ThreatLabz Analysis, the group switched to using PHP in August](https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts) 2022. This demonstrates that cybercriminals are continually adapting their tactics to evade security measures. The Yoroi ZLab has discovered evidence of new campaigns utilizing different tactics, including more complex delivery mechanisms and victimology, which began in April 2022. It is crucial for individuals and organizations to remain informed about these tactics and take necessary precautions, such as exercising caution when downloading or clicking on links, maintaining up-to-date software and security measures, and educating themselves about the latest security threats. ## About the TA Ducktail appears to be a persistent and consistent threat on the social media landscape, with a particular focus on Facebook. The attacker's objective is to compromise business social media accounts, possibly to carry out additional malicious intrusions. ----- _Figure 1: Yoroi Flashcard about DuckTail_ _Threat Actor_ The threat actor's activity has intensified since the last few months of the previous year when they began creating various campaigns to entice social media users and persuade them to click on malicious links. One such campaign involves a fake website offering photos of models. _Figure 2: Example of a_ _malicious campaign of December 2022_ The link leads to a media-hosting website claiming to enable the download of this malicious data. _Figure 3: Example of a fake file_ _hosting page_ The threat actor behind this persistent malware campaign has taken significant measures to create a resilient and effective malicious infrastructure. The creation of a total of seven fake file hosting domains suggests that the threat actor is attempting to deceive users into believing that they are accessing legitimate files, when in fact they are downloading malware hosted on the true hosting domains. By hosting their files on multiple domains, the threat actor can ensure that their malware remains available even if one or more of the domains are taken down. Additionally, by using popular hosting services such as Mediafire and Google Cloud, the threat actor may be attempting to blend in with legitimate users and avoid detection. ----- Furthermore, the threat actor has also created three Facebook pages as part of their infrastructure, indicating that they are using social media platforms to spread their malware. Social media platforms provide an easy way for the threat actor to distribute their malware to many users quickly and easily. The use of Facebook pages may also allow the threat actor to bypass some security measures that are designed to block known malicious websites. The use of multiple fake and legitimate domains, as well as social media platforms, suggests that the threat actor is highly motivated and determined to spread their malware. The threat actor has invested significant time and resources into creating a resilient and effective malicious infrastructure. Some of the intercepted fake file hosting domains include: download5s.]com x-photos.]net beautygirls-photos.]com beautygirls-picture.]com photo-cam.]com x-album.]com x-albums.]com x-pictures.]net hxxps://sites.google.]com/view/lonely-in-car True Hosting Domains: s1-download-photos.]com jmooreassoc.]com meetstaci.]com kimhasa.]com notodaiya.]com karbilyazilim.]com shble.]com velascasadelaluz.]com hxxps://download2388.mediafire.]com/eif5tfodd4ng/hrcyyor418tp8hw/Album_Beautiful_Girl_In_The_Hotels.rar romeflirt.]com ikejd.]com hxxps://storage.googleapis.]com/migc/AlbumNo6128183.zip Pages: camliveproduction The-Best-moment-105684484236827 xphotonetn Based on these starting points, it is possible to reconstruct the entire infection chain. In the following sections, technical details about all the phases of the infection chain will be provided. ----- _Figure 4: DuckTail Infection_ _Chain_ ## Technical Analysis We observed two different campaigns of DuckTail, of which one is written in Python and another one is in PHP. ### DuckTail Python Version – 1st Variant The infection starts with a malicious zip archive containing many identical executable files, pretending to be images of a gallery belonging to a model. This archive is retrieved on one of the fake storage websites we identified and reported in the previous section: Hash fcec8d28e17f7af13d0961eb8b8d25eaf0e76e50fdc8cd4e2e79de7d6b67d25d Threat DuckTail Downloader Brief Description Archive containing multiple downloaders An extract of that archive is the following: ----- _Figure 5: Content of the initial malicious_ _archive_ These files have all different hashes but the same behavior: use a powershell script to download an InnoSetup Installer (c17524501439d58ffb701907d83e3e20558a445363fa0733bb328e0d69c91441) containing the core of DuckTail. _Figure 6: DuckTail_ _Downloader_ That archive extracts all the files for the next step of the infection in one of the following paths: %AppData%\Local\Packages\Rnews\v13-15 %AppData%\Local\Mozilla\Conf\v13-15 %AppData%\Local\Google\Conf\v13-15 %AppData%\Local\Packages\Conf\v13-15 %AppData%\Local\Microsoft\Conf\v13-15 %AppData%\Local\Media\Conf\v13-15 The package of DuckTail contains a series of files: rnews.exe (e1517e6bd6169c543083e36c45894a98b8ae592bf9dc265978f198af70a853b1) Ducktail curl.exe curl tool Rar.exe CLI WinRar tool [rhc tools](https://github.com/tostercx/hidec) Python DLLs and files ----- _Figure 7: InnoSetup Files_ [The program in question was created using Nuitka, a tool that transforms Python modules into a C-based program.](https://github.com/Nuitka/Nuitka) This allows the program to operate similarly to CPython, utilizing both "libpython" and its own static C files. Nuitka is a compiler for Python that generates standalone binaries from Python scripts, making them more efficient and faster. Upon analyzing the program's strings, it appears that the program is specifically designed to target Facebook business accounts. By obtaining an overview of the program's capabilities, we can better understand its intended purpose and how it may potentially harm targeted accounts. _Figure 8: String of_ _rnews.exe_ The program described in the previous section steals Facebook-related information through the API, using a specific client ID. More specifically, it obtains the victim token by making a request using the client ID "124024574287414", which happens to be the ID of "Instagram". By using this particular client ID, the program aims to avoid detection, as the victim may not be suspicious when checking their settings and seeing that the request comes from Instagram. It is worth noting that the use of APIs to extract data is a common tactic used by cybercriminals to gather sensitive information. APIs, or Application Programming Interfaces, are sets of protocols and tools used for building software applications. APIs can provide a convenient way to extract data from various platforms, but they can also be used maliciously to steal data, as in this case. Moreover, Nuitka, the Python compiler used to generate the program, is a powerful tool that allows developers to create stand-alone executables from Python code. It does this by converting Python modules into C-based programs, which can run faster and use fewer resources than traditional Python code. Nuitka is an open-source project that is ----- actively maintained and used by developers around the world. Overall, the use of Nuitka and APIs highlights the sophisticated tactics used by cybercriminals to steal sensitive information from their victims. As technology continues to advance, it is crucial for individuals and organizations to stay vigilant and take necessary precautions to protect their data and privacy. Joining the analysis of DuckTail and the permissions it asks to the API, we figured out it might steal the following information from Facebook: Credentials Token UID Complete information about victim account 2FA Status Recovery Code And, Chrome, Firefox (Cookies, Passwords, Preferences, Bookmarks, History). Once finished it sends the stolen information to the following C2s: hxxps://riospress.]com/rss/news hxxps://ro2sport.]com/rss/news Uses WMI to collect machine information: /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get displayName Win32_VideoController GET VideoModeDescription Win32_VideoController GET Name Win32_PhysicalMemory GET Capacity Win32_Processor GET Name _Figure 9: Usage of wmic to_ _collect SysInfo_ The collected information is written to a file called “info.json”. ----- _SysInfo_ DuckTail stores the config inside "config.json". With the folliowing parameters: **Parameter** **Description** machineld mid version APP_VERSION (config.json) v APP_VERSION_DETAIL (config.json) token partner PARTNER (config.json) time Date (Unix Epoch Timestamp Seconds) time_ns Date (Unix Epoch Timestamp Nanoseconds) botname Victim Username path cwd n Hostname r OS Version rv OS Version + Build Number _Figure 10: JSON of collected_ _Figure 11: DuckTail Config_ ----- m Machine architecture u e s ### DuckTail PHP Version – 4th Variant Hash 0fad31fc16beeb24ca924a94614f3905f5c463a972ae395eec58614d014e73ad Threat DuckTail Dropper Brief Description Malicious DLL, loaded by using DLL Sideloading The PHP variant of the malware utilizes a technique called DLL sideloading, which involves the use of a legitimate tool named "WDSyncService.exe" from Western Digital. This technique is often used by attackers to bypass security measures since it is harder for antivirus software to detect malicious activities that involve legitimate tools. The WDSyncService.exe tool is used to execute an InnoSetup installer, which is obfuscated through multiple layers to avoid detection. The DLL loaded by the malware is responsible for loading a specific resource identified by the GUID "{9117cb49a00b-4379-8d00-32eeaa57627f}". After decryption, this resource contains further instructions that are used by the malware to continue the infection process. The use of encryption makes it difficult for security researchers to analyze the code and understand the exact steps involved in the infection process. The use of legitimate tools and techniques by attackers highlights the need for organizations to implement strong security measures and keep their software and tools up-to-date. Furthermore, it is important to educate employees about the risks of opening suspicious files and emails, and to establish security protocols that can help prevent attacks. Keeping systems patched and up-to-date, as well as using reliable antivirus software, can also help detect and prevent attacks. In summary, staying vigilant and proactive about security can help prevent malware infections and minimize their impact on an organization. _Figure 12: Malicious DLL_ _loading the encrypted resource_ To elaborate on the previous text, the resource containing the next steps of the infection is AES encrypted, which is a widely used encryption standard. Once decrypted, the resource contains several Base64 encoded strings. Instead of decrypting each string when needed, all the encrypted strings are contained and decrypted in a single resource that is treated as a data structure for the following steps. ----- This approach of containing and decrypting all the strings at once can be more efficient and harder to detect compared to decrypting individual strings. The use of AES encryption and Base64 encoding can also make it more difficult for security researchers to analyze and understand the malware. Additionally, the use of DLL sideloading with a legitimate Western Digital Tool named “WDSyncService.exe” is a technique used by the threat actors to evade detection by antivirus software. By using a legitimate program, the malware can blend in with normal processes, making it harder to detect and investigate. It is worth noting that malware creators use various techniques to evade detection and compromise systems, and it is essential for users to remain vigilant and keep their systems updated with the latest security patches and antivirus software. Regular backups of important data can also help to mitigate the damage caused by malware attacks. _Figure 13: Content of the_ _encrypted resource_ _Figure_ _14: Base64 Decoded Strings_ The sample proceeds by decrypting another resource ({9872ec39-1510-4b83-bbab-29deae7a2bde}) which is a portable executable (PE) file. This PE file contains another resource called "subtitle1", which is Base64 encoded. The PE file has four characters before the "MZ" signature that reads "DPAI". Additionally, two characters in the PE file are obfuscated and have been replaced by the symbols "* " and "|". ----- _Figure 15: Base64_ _Encoded Payload and obfuscated_ The method employed to obfuscate the code fragments has been found to be effective in evading the detection of various automated analysis tools. However, it is still possible to manually deobfuscate the code by setting a breakpoint on the ".NET" function "FromBase64String" and comparing the decoded characters with those used for obfuscation. This approach enables the decryption of the code, thereby revealing its true purpose. It is worth noting that the use of obfuscation techniques is quite common in malware development. The primary objective of employing such methods is to make it harder for analysts and researchers to reverse engineer the code and understand its functionality. The encrypted code can be easily decrypted if the algorithm and the key used for encryption are known. Therefore, obfuscation is used to add an additional layer of protection and make the code more resilient to reverse engineering techniques. However, with careful analysis and the use of advanced tools, it is often possible to deobfuscate the code and uncover its true nature. _Figure 16: Function_ _responsible for the deobfuscation_ After completing all the deobfuscation procedures, another binary sample protected by SmartAssembly emerges, which is a .NET binary. This sample contains encrypted data inside resources, which are again AES encrypted. The binary first checks if there are any arguments passed to it by checking the length of the arguments. If there are no arguments, the binary does not proceed with its execution." To expand on the text, SmartAssembly is a .NET obfuscation tool used to protect software from reverse engineering. It is designed to make the analysis of the code as difficult as possible, by obfuscating names, methods and even entire classes. The use of encryption, like AES, adds another layer of protection, making it even more challenging to reverse engineer. The fact that the binary checks for arguments before proceeding with execution suggests that it may be designed to be run in a specific way or with specific parameters. This can make it more difficult to execute and analyze the binary, as the user must understand how to correctly pass arguments to it in order for it to work properly. This can be another effective technique for evading detection by automated analysis tools. _Figure 17: Check arguments_ ----- The code protection structure of this sample is quite similar to the previous packer sample. It involves decrypting a list of Base64 strings, which leads to a Base64 encoded Portable Executable (PE). However, this time, an anti-repeat check is performed in the process. The anti-repeat check is used to ensure that the malware is not installed on the same system multiple times. This is done by checking the system for the presence of a specific file or registry key, which is usually created during the first installation. If the file or registry key exists, the installation is terminated. Once the anti-repeat check is completed, the malware proceeds with its execution. It typically performs various malicious activities, such as stealing sensitive data, recording keystrokes, and installing additional malware components. It is worth noting that the use of Base64 encoding and other obfuscation techniques by malware authors aims to evade detection by security software. However, security researchers often use tools and techniques to deobfuscate and analyze such code, enabling them to identify and mitigate the threats posed by such malware. _Figure 18: Checks if the_ _sample has been already executed_ The code structure of this packer sample is quite similar to the previous one. A list of Base64 strings is decrypted, and then a Base64 encoded PE is extracted. However, this time an anti-repeat check is performed to prevent duplication of the same code. From the list of Base64 strings, the program selects "m.txt." It then checks if this file exists, and if it does, the program returns/exits. Otherwise, it proceeds to decrypt another resource containing a PE that, in turn, contains another resource which is also another Base64 obfuscated PE. _Figure 19: m.txt the name of the_ _file used for the anti-repeat check_ _Figure 20: Checks the_ _existence of m.txt in the given path_ By completing the same self-decoding steps as previously analyzed, we were able to retrieve the final payload, an InnoSetup installer containing other malicious code with the MD5 hash of 8c60a4691f610e325597af83ee2c99945e7eb1cb189fff03cf2264e461fead53. ----- _Figure 21: Final Payload_ The final stage of the malware execution involves saving a file named "AYSVDAWHDAADAOC.exe" as "C:\Users\Admin\AppData\Local\Temp" and then executing it. During this process, the malware ensures persistence by creating a scheduled task. _Figure 22: Persistence_ _Figure 23: Scheduled Task_ The InnoSetup installer contains two PHP samples - "index.php" and "include.php" - along with "php.exe" and "rss.txt". These PHP samples are obfuscated using the IonCube Loader, a commercial protector that is commonly used to ensure copyright protection for specific web applications built using the PHP framework. _Figure 24: DuckTail PHP_ _Samples_ The "rss.txt" file is a Base64-encoded PE that is obfuscated using the same technique of missing characters. In this case, the missing characters are "*", "|", and "+". By examining other Base64-encoded PEs, we can easily determine that these missing characters are respectively replaced by "A", "B", and "g". Once decoded, this file returns another component that is written in Rust and has the MD5 hash value of "16ad22f8ab4f99a03bc2b68bf3314397f30f67a01bb5a283020e85979b811d93". Memory analysis of the malware also reveals the C2s (Command and Control servers) of the malicious infrastructure. These C2s are: ----- rapadtrai.]com graeslavur.]com caseiden.]com te5.techgeetam.]com sensetria.]com It is important to note that these C2s may change over time as the malware evolves and adapts to new environments. _Figure 25: In Memory Strings_ **Decoding an unprotected version** Regrettably, we were unsuccessful in our attempt to decrypt IonCube, but we discovered additional samples that were not encrypted and resolved to conduct further analysis based on these samples. Among these samples is "index.php" (5bac0b4ee00c1cb9a5b2969a18077ab74257790bd2610224253d3faf58714f43), which contains the DuckTail code. The behavior of the code is consistent across all its variants, with its primary goal being the collection of Facebook account information belonging to its victims. ----- _Figure 26: index.php DuckTail Sample_ include.php (8fd4910dd8b05c9ea617f9b86f31aac5663db12495e9295ccaf19e3d58b8b3b4) establishes persistence using the task scheduler and decodes “rss.txt” executable. In this way, the malicious implant guarantees itself a mechanism to download. ----- _Figure 27: Task triggering at logon_ _Figure 28: Task triggering on interval_ The following is the function responsible for decoding and deobfuscating the payload contained in rss.txt and for getting the current time by executing this payload, this time is used for calculating the task interval. ----- _deobfuscating and executing the Rust Payload to get the current time_ The method used to calculate the task interal is the following: _task interval_ **Rss.txt – Rust Chrome key decoder** _Figure 29: Decoding,_ _Figure 30: Calculating the_ The Rust payload is also responsible for decrypting the Chrome encrypted_key. It is encrypted using the [DPAPI,](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) which is a function that can be called using the API function CryptUnprotectData. The following figure shows the routine where the Chrome encrypted_key resides and the payload output, with the encrypted_key passed as an argument for the /c parameter. _Figura 31: Decryption of_ _Chrome encrypted_key using the Rust Payload_ ## Conclusion Tracking malicious infrastructures is a critical aspect of cybersecurity as it enables professionals to identify the source of an attack and take necessary actions to prevent future attacks. Malware analysis is an essential process that helps to uncover the hidden tactics and techniques used by attackers. Understanding the methods of cybercriminals can assist cybersecurity professionals in developing more effective security measures to detect and mitigate potential threats. This can include blocking IP addresses, shutting down servers, and identifying the attacker's location. ----- Tracking malicious infrastructures can also help in sharing threat intelligence within the cybersecurity community. The cyber threat landscape is constantly evolving, and by sharing information, organizations and security experts can stay informed and up-to-date with the latest threats. This can help other organizations and security experts to take necessary precautions and protect themselves against similar attacks. Furthermore, tracking malicious infrastructures can help in developing new security measures and improving existing ones to prevent future attacks. By analyzing and understanding the tools and techniques used by attackers, cybersecurity professionals can develop more effective security measures that can detect and mitigate potential threats. This can include implementing intrusion detection and prevention systems, deploying security patches, and educating employees about cybersecurity best practices. Overall, tracking malicious infrastructures is a vital component of any comprehensive cybersecurity strategy. By doing so, organizations can strengthen their security posture, protect their assets, and prevent potential cyber-attacks. Cybersecurity professionals should prioritize malware analysis and invest in the necessary resources to ensure that they can effectively identify and track malicious infrastructures. Through collaboration and knowledge-sharing within the cybersecurity community, organizations can stay ahead of the constantly evolving cyber threat landscape and protect themselves against potential threats. ## Indicators of Compromise **DuckTail Campaign:** **Fake File Hosting Domains:** download5s.]com x-photos.]net beautygirls-photos.]com beautygirls-picture.]com photo-cam.]com x-album.]com x-albums.]com x-pictures.]net hxxps://sites.google.]com/view/lonely-in-car **True Hosting Domains:** s1-download-photos.]com jmooreassoc.]com meetstaci.]com kimhasa.]com notodaiya.]com karbilyazilim.]com shble.]com velascasadelaluz.]com hxxps://download2388.mediafire.]com/eif5tfodd4ng/hrcyyor418tp8hw/Album_Beautiful_Girl_In_The_Hotels.rar romeflirt.]com ikejd.]com hxxps://storage.googleapis.]com/migc/AlbumNo6128183.zip **Pages:** camliveproduction The-Best-moment-105684484236827 xphotonetn **DuckTail Python:** ----- fcec8d28e17f7af13d0961eb8b8d25eaf0e76e50fdc8cd4e2e79de7d6b67d25d (Archive) **Downloaders:** 2320b045e831ee38c9abd1b872deb25c7d26d3437ba21491c06b8fc1a18143ac 365ed9b3ab7d369a319a2ebe1da9953ab6ad4f9878f82aba3d30a47e9e0c60fb 3e242475d95322df510e2437f5a1f319d8ee442dbc649fa1a443fd478b3e7876 418d02b2f8013746f9f06e328ad4040063db887d85de141da39a7e7513f0459a 446f5be2028492615b5b51d9de05e67e464a9ca26b0b47972dd43179cc8cb6e0 50d55c4c79eaddf5368bdb9b60a68f35ed42f17ccb43812c95903306cdc126a9 5a75df284314b0edcf9534c5f8a2d95013f73803fdbc56afb970af53cd9e0479 65d4046b5a85327da285c05d72869c41aac8952e0fb8a44babe897528a674e58 6d29ac0626b6908d938fe0d6a8d84b830c524d4b3f24255775d05a66f57c22ec 718e88759a7e2ae40309b5c38de18a667305acafee07dfcdaee180c46bdc514c 74955b4db49ea399fac96d09211152ead722016218dfaca4561a50990af1caa6 74b25e1e2d33b666df5eb0fb26eb808f93faf78942f5f253d0e415753d048b89 78380b620294ab60b558d0de3e38d479fa965eca1d1e38a9f97fbef62bfd8bd9 898650ac940c4a6711fe81bef0c118f141305188a36431560fa7a6a3f299fdf0 8ee067b7c23111cda02d5c5a4f6f10216d553dad90afaaa3b056869d74e8dd0b 91318b6b2a8efeb759cb49f7cab6cc5b1bca7df41a9ccc378900d30c0ad25e4a 91cd20e848f67432ce4e69449e8679f6a405f9087adae41510eb607e620d6177 a98f225699d8ff6875e08fb2f12236f6fc1f463d61aa1ace1cadb8deded60d0d b59ee8c9242fd16971cf15ce4d8308944b1990b0c0cfaf96da1f83a6f6d6bf25 bb73253555f518c3646356da5b8a3747a541a8a48b72827e4dcf892cde94e094 c00e1239a781276f9be2f8920cc0a13367548b7638b7d483462c7c7b6daf6878 c636823a07b8498ea0496ff17c501ee69cf14ae18cb881ccc5721fc9b218cac4 ddceae97a3e0cbf28731203aa2d2067deab155b2601432e122bbfca712713285 f390c68389331be62695464e049df845b750bd03d82e4b6809bdc15a9439df44 f45711466e9182d606da6711318a6e6c14688a09636945b41a26d31d8056cb5f f95d284a862662195c351db2cdb36d371a105585d783e7289d73cb07a442c4ba f9691281cd8d6c2d5ebee974afb54024b67ae71c8a720e3fc37d5a7ec4b8f669 c17524501439d58ffb701907d83e3e20558a445363fa0733bb328e0d69c91441 (InnoSetup Installer) e1517e6bd6169c543083e36c45894a98b8ae592bf9dc265978f198af70a853b1 (DuckTail) **DuckTail PHP:** 0f765b4fbeda401e5b4ff34cd470c0fe8d77eafad73b68852e59e3e6abb182cf (Archive) 0fad31fc16beeb24ca924a94614f3905f5c463a972ae395eec58614d014e73ad (Malicious DLL) cb807472bb6d4d1113fcbc209d6a08fa80ff9e53c83b1aa37f9d6f549affd68c (Legitimate WDSyncService Tool) 8c60a4691f610e325597af83ee2c99945e7eb1cb189fff03cf2264e461fead53 (InnoSetup Sample) 16ad22f8ab4f99a03bc2b68bf3314397f30f67a01bb5a283020e85979b811d93 (Rust Sample) 4abdb3f59e3433b2d410106c75d4711574e0b61b0ef92653b9971154d9841a4f (index.php) 52bd6d7d8c9fe087ba64adafbfa623e49b69425829b8c9c8a8eadb2e06669892 (include.php) 5bac0b4ee00c1cb9a5b2969a18077ab74257790bd2610224253d3faf58714f43 (index.php not obfuscated) 8fd4910dd8b05c9ea617f9b86f31aac5663db12495e9295ccaf19e3d58b8b3b4 (include.php not obfuscated) **C2:** rapadtrai.]com graeslavur.]com caseiden.]com te5.techgeetam.]com sensetria.]com _This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB_ -----