An ongoing spear phishing campaign has been targeting Facebook business accounts since the second half of 2021. The campaign uses an infostealer specifically designed to steal browser cookies for authenticated Facebook sessions to steal information from the account and ultimately hijack any business account that the victim can access.
WithSecure –- formerly F-Secure – first detected the infostealer as an unknown malware earlier this year. It has named the operation and malware Ducktail and has been tracking it since discovery. It is WithSecure’s first known malware specifically focusing on Facebook business accounts.
The researchers are confident that the malware is Vietnamese in origin, has no specific geographic nor vertical sector target, has been in continuous update and modification since H2 2021, and that the actor has been active since late 2018. The motivation for the Ducktail campaign is financial gain, and has been likened by WithSecure to the SilentFade malware identified by Facebook at the end of 2018.