Attempted Delivery of Ducktail and Hawkeyes Payloads Through Drive-by Attacks

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Our Threat Response Unit (TRU) has observed DUCKTAIL, a malware operation discovered by WithSecure in 2022, within a customer’s environment. The DUCKTAIL malware contains general information stealing capabilities with a focus on Facebook Business accounts.

Operators are known to locate and target individuals likely to have access to these accounts, primarily businesses or individuals responsible for ad services, such as members of marketing teams.

LinkedIn is commonly used to identify and engage targets of interest. In one recent incident, a marketing specialist was contacted via LinkedIn messaging about possible freelance work for a major hotel chain.

After some back and forth, the target was sent a password protected .rar archive containing several decoy files and a shortcut payload.

The freelance advertisement lure is in line with DUCKTAIL’s historical lures, which focus on marketing/advertising plans and job offers (see table below)

In early July 2023, TRU identified several DUCKTAIL cases, including the LinkedIn example above. In the most recent case, the user was sent a .rar file PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.rar which contained a handful of PNG images and a .lnk (shortcut) file masquerading as a PDF.

Examining the .lnk metadata using ExifTool shows it will execute PowerShell commands in a hidden window. The metadata shows a Machine ID “desktop-oalig8v” and Drive Serial Number “7838-8B0E”, both of which are linked to other .lnk samples on public malware repositories.

The PowerShell commands are slightly obfuscated using string replacement methods. Its function is to download two files from impressiondigitals[.]agency:

Decoy PDF:

impressiondigitals[.]agency/files2/PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.lnk (MD5: 83ecbfdfa31f9934338a0f5b5edfdcfa)

HawkEyes Payload:

impressiondigitals[.]agency/files2/LViS Store Marketing.lnk

The decoy PDF is a fake job offer for a Facebook Ads Specialist and replaces the malicious .lnk file on disk and is then opened automatically during the next step.

The payload 83ecbfdfa31f9934338a0f5b5edfdcfa is an unsigned .NET executable originally named “HawkEyes”. We’ll call this first stage HawkEyes loader.

The first stage payload performs several anti-analysis checks, such as debugging tools (Figure 8), number of running processes and common malware sandbox attributes.

After anti-analysis checks are passed, it decompresses data stored in resource file HawkEyes.Res1, modifies it by adding random bytes and saves it to the user’s documents folder with a random number between 50 and 100 appended to it. The new payload is then started.

HawkEyes also contains code to create or remove itself from the startup folder and registry.

The new file is another .NET payload (MD5: DCAF0652E1602ECAEDAB32F078C993C9). This payload appears to contain the majority of the functionality familiar with DUCKTAIL malware.

DUCKTAIL’s .NET payloads have undergone several changes, and much of the second stage payload is obfuscated. Thankfully its functionality can still be gleaned from memory analysis, where strings are cleartext, base64 encoded and double base64 encoded.

It collects various information about the system using WMI commands and headless chrome to retrieve network and browser information from whatismybrowser[.]com and ip-api[.]com. This information is stored in “System Information.txt”

Browser data is also collected from the victim’s registry via HKEY_LOCAL_MACHINE\Software\WOW6432Node\Clients\StartMenuInternet.

One possible reason for collecting this information is to closely emulate the system to avoid detection by the target website when connecting with stolen account information.

Data sought by this malware is not unlike general purpose stealers. Double base64-encoded memory strings show various files and identifiers tied to browsing information, including saved credit cards, cookies, bookmarks, and encrypted logins. We also see strings associated with decrypting stored web credentials.

This data appears to be stored in various text files and exfiltrated to the C2. This data is exfiltrated via a Telegram Bot at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/sendDocument within an encrypted zip file.

Finally, we see diagnostic output related to collection of Facebook business accounts:

DUCKTAIL is known to target Facebook Ad and Business accounts. Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is generated by which the threat actor can grant themselves access.

DUCKTAIL uses the victim’s machine to interact with the Facebook API endpoints and configure new email addresses. These email addresses are retrieved from the Telegram C2 at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/getUpdates. Accessing this endpoint does not require authentication and email addresses appear to rotate on set intervals.

The common structure of these email accounts ([email protected]) would suggest these are generated by threat actors and not compromised accounts.

There are several possibilities for monetizing compromised Facebook Business accounts. Researchers from Deep Instinct recently suggested these accounts could be used to set up imitation business pages and scam unsuspecting customers. Another possibility is that threat actors are pushing white-label products at inflated prices using ads paid for by the victim organization.

How did we find it?

• MDR for Endpoint blocked PowerShell code executed by the shortcut file.

What did we do?

• Our team of 24/7 SOC Cyber Analysts isolated the host and alerted the customer while an investigation took place.

What can you learn from this TRU Positive?

• DUCKTAIL operators use LinkedIn to find targets of interest, primarily those with possible access to manage Facebook Ads. Users should remain vigilant when communicating on the platform, particularly in private messages.
• Social media channels provide an out-of-band method for threat actors to conduct social engineering attacks. These attacks bypass traditional, heavily monitored vectors such as email.
• DUCKTAIL is a risk to all users. Its information stealing capabilities open up possible monetization options for threat actors for fraud and other attacks.

Recommendations from our Threat Response Unit (TRU) Team:

• Protect endpoints against malware by:
  • Ensuring antivirus signatures are up-to-date.
  • Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats.
• Victims should review their Facebook Business users for unauthorized users.

• Raise awareness of malware masquerading as legitimate applications, and include in your Phishing and Security Awareness Training (PSAT) program. An effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.

Indicators of Compromise