An updated Ducktail phishing campaign is spreading malware written in PHP and designed to steal Facebook accounts, browser data, and crypto wallets, according to a Bleeping Computer report.
The malware affects Windows devices and is distributed using bait related to video games, adult videos, subtitle files, and cracked Microsoft Office applications.
Cybersecurity researchers from WithSecure first discovered Ducktail phishing campaigns in July 2022.
These early instances of Ducktail phishing operations relied on social engineering attacks on LinkedIn and pushed .NET Core malware disguised as PDFs.
However, Ducktail has now replaced the .NET Core malware with one written in PHP. The disguised malware is hosted in ZIP format on trustworthy file-hosting platforms.
Installation happens in the background while the victim is presented with fake compatibility check pop-ups, and the malware is extracted to the %LocalAppData%\Packages\PXT folder.
The folder contains the PHP.exe local interpreter, several scripts designed to steal information, and supporting tools.
According to the report, the malware can then add scheduled tasks to execute on the host device at regular intervals. At the same time, a generated TMP file launches the stealer component in parallel.
The stealer component is Base64 encoded and deciphered directly on memory to minimize the chance of detection.
The Ducktail malware targets extensive Facebook account details, data stored in browsers, browser cookies, crypto wallet and account information, and system data.
Earlier Ducktail campaigns exfiltrated stolen data to Telegram. However, the latest campaign sends data to a JSON website that also hosts account tokens and data required to perform on-device fraud.