What We Do
How We Do
Get Started

Attempted Delivery of Ducktail and Hawkeyes Payloads Through Drive-by Attacks

BY eSentire Threat Response Unit (TRU)

July 27, 2023 | 7 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Our Threat Response Unit (TRU) has observed DUCKTAIL, a malware operation discovered by WithSecure in 2022, within a customer’s environment. The DUCKTAIL malware contains general information stealing capabilities with a focus on Facebook Business accounts.

Operators are known to locate and target individuals likely to have access to these accounts, primarily businesses or individuals responsible for ad services, such as members of marketing teams.

LinkedIn is commonly used to identify and engage targets of interest. In one recent incident, a marketing specialist was contacted via LinkedIn messaging about possible freelance work for a major hotel chain.

Figure 1 LinkedIn message from a compromised account.

After some back and forth, the target was sent a password protected .rar archive containing several decoy files and a shortcut payload.

Figure 2 After some discussion, the target is provided a password protected archive.

The freelance advertisement lure is in line with DUCKTAIL’s historical lures, which focus on marketing/advertising plans and job offers (see table below)

Payload Name

First Seen









AthletikanAU_Makerting_ Plan_2023.pdf.lnk


Details of Project Marketing Plan.lnk


In early July 2023, TRU identified several DUCKTAIL cases, including the LinkedIn example above. In the most recent case, the user was sent a .rar file PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.rar which contained a handful of PNG images and a .lnk (shortcut) file masquerading as a PDF.

Figure 3 Contents of the archive.

Examining the .lnk metadata using ExifTool shows it will execute PowerShell commands in a hidden window. The metadata shows a Machine ID “desktop-oalig8v” and Drive Serial Number “7838-8B0E”, both of which are linked to other .lnk samples on public malware repositories.

Figure 4 ExifTool output for the shortcut file.

The PowerShell commands are slightly obfuscated using string replacement methods. Its function is to download two files from impressiondigitals[.]agency:

Decoy PDF:

impressiondigitals[.]agency/files2/PASSION FACEBOOK ADS SPECIALIST - JOB DETAILS.lnk (MD5: 83ecbfdfa31f9934338a0f5b5edfdcfa)

HawkEyes Payload:

impressiondigitals[.]agency/files2/LViS Store Marketing.lnk

The decoy PDF is a fake job offer for a Facebook Ads Specialist and replaces the malicious .lnk file on disk and is then opened automatically during the next step.

Figure 5 Fake job offer replaces the shortcut on disk, is opened for the user.

The payload 83ecbfdfa31f9934338a0f5b5edfdcfa is an unsigned .NET executable originally named “HawkEyes”. We’ll call this first stage HawkEyes loader.

Figure 6 File properties for HawkEyes loader.

The first stage payload performs several anti-analysis checks, such as debugging tools (Figure 8), number of running processes and common malware sandbox attributes.

Figure 7 Anti-analysis checks performed.

Figure 8 One of the checks looks for a common debugging tool.

After anti-analysis checks are passed, it decompresses data stored in resource file HawkEyes.Res1, modifies it by adding random bytes and saves it to the user’s documents folder with a random number between 50 and 100 appended to it. The new payload is then started.

Figure 9 Loading the second stage payload.

HawkEyes also contains code to create or remove itself from the startup folder and registry.

Figure 10 Persistence options.

The new file is another .NET payload (MD5: DCAF0652E1602ECAEDAB32F078C993C9). This payload appears to contain the majority of the functionality familiar with DUCKTAIL malware.

Figure 11 Second stage payload properties.

DUCKTAIL’s .NET payloads have undergone several changes, and much of the second stage payload is obfuscated. Thankfully its functionality can still be gleaned from memory analysis, where strings are cleartext, base64 encoded and double base64 encoded.

It collects various information about the system using WMI commands and headless chrome to retrieve network and browser information from whatismybrowser[.]com and ip-api[.]com. This information is stored in “System Information.txt”

Figure 12 Snippet of information obtained from the system.

Browser data is also collected from the victim’s registry via HKEY_LOCAL_MACHINE\Software\WOW6432Node\Clients\StartMenuInternet.

One possible reason for collecting this information is to closely emulate the system to avoid detection by the target website when connecting with stolen account information.

Data sought by this malware is not unlike general purpose stealers. Double base64-encoded memory strings show various files and identifiers tied to browsing information, including saved credit cards, cookies, bookmarks, and encrypted logins. We also see strings associated with decrypting stored web credentials.

Figure 13 Browser data sought by the malware. Text in the red box was double encoded in memory.

This data appears to be stored in various text files and exfiltrated to the C2. This data is exfiltrated via a Telegram Bot at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/sendDocument within an encrypted zip file.

Finally, we see diagnostic output related to collection of Facebook business accounts:

Figure 14 Output related to Facebook account takeover.

DUCKTAIL is known to target Facebook Ad and Business accounts. Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is generated by which the threat actor can grant themselves access.

DUCKTAIL uses the victim’s machine to interact with the Facebook API endpoints and configure new email addresses. These email addresses are retrieved from the Telegram C2 at hxxps://api[.]telegram[.]org/bot6335344897:AAEtQ0t_5DOwFvdUwdvpybdn5a4vHpEegu8/getUpdates. Accessing this endpoint does not require authentication and email addresses appear to rotate on set intervals.

Figure 15 Snippet of command and control data present on the Telegram bot.

The common structure of these email accounts ([email protected]) would suggest these are generated by threat actors and not compromised accounts.

There are several possibilities for monetizing compromised Facebook Business accounts. Researchers from Deep Instinct recently suggested these accounts could be used to set up imitation business pages and scam unsuspecting customers. Another possibility is that threat actors are pushing white-label products at inflated prices using ads paid for by the victim organization.

How did we find it?

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU) Team:

Indicators of Compromise






HawkEyes Loader


Malicious Shortcut File









eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire