{"id":464841,"date":"2022-10-17T11:47:25","date_gmt":"2022-10-17T09:47:25","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=464841"},"modified":"2022-10-17T11:50:12","modified_gmt":"2022-10-17T09:50:12","slug":"windows-php-malware-targets-facebook-accounts-crypto-wallets","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/464841-windows-php-malware-targets-facebook-accounts-crypto-wallets.html","title":{"rendered":"Windows PHP malware targets Facebook accounts, crypto wallets"},"content":{"rendered":"<p>An updated Ducktail phishing campaign is spreading malware written in PHP and designed to steal Facebook accounts, browser data, and crypto wallets, according to a Bleeping Computer <strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-php-information-stealing-malware-targets-facebook-accounts\/\" target=\"_blank\" rel=\"noopener\">report<\/a><\/strong>.<\/p>\n<p>The malware affects Windows devices and is distributed using bait related to video games, adult videos, subtitle files, and cracked Microsoft Office applications.<\/p>\n<p>Cybersecurity researchers from WithSecure first discovered Ducktail phishing campaigns in July 2022.<\/p>\n<p>These early instances of Ducktail phishing operations relied on social engineering attacks on LinkedIn and pushed .NET Core malware disguised as PDFs.<\/p>\n<p>However, Ducktail has now replaced the .NET Core malware with one written in PHP. The disguised malware is hosted in ZIP format on trustworthy file-hosting platforms.<\/p>\n<p>Installation happens in the background while the victim is presented with fake compatibility check pop-ups, and the malware is extracted to the %LocalAppData%\\Packages\\PXT folder.<\/p>\n<p>The folder contains the PHP.exe local interpreter, several scripts designed to steal information, and supporting tools.<\/p>\n<p>According to the report, the malware can then add scheduled tasks to execute on the host device at regular intervals. At the same time, a generated TMP file launches the stealer component in parallel.<\/p>\n<p>The stealer component is Base64 encoded and deciphered directly on memory to minimize the chance of detection.<\/p>\n<p>The Ducktail malware targets extensive Facebook account details, data stored in browsers, browser cookies, crypto wallet and account information, and system data.<\/p>\n<p>Earlier Ducktail campaigns exfiltrated stolen data to Telegram. However, the latest campaign sends data to a JSON website that also hosts account tokens and data required to perform on-device fraud.<\/p>\n<hr \/>\n<h2 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/464327-goodbye-passwords-google-rolling-out-passkey-support-to-android-and-chrome.html\" rel=\"bookmark\">Goodbye passwords \u2014 Google rolling out passkey support to Android and Chrome<\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>The malware is disguised using fake lures related to video games, adult videos, subtitle files, and cracked Microsoft Office applications.<\/p>\n","protected":false},"author":341076,"featured_media":464843,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[82009,82007,801,417,12377,82013],"class_list":["post-464841","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-net-core","tag-ducktail","tag-malware","tag-phishing","tag-php","tag-withsecure"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/464841"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341076"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=464841"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/464841\/revisions"}],"predecessor-version":[{"id":464861,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/464841\/revisions\/464861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/464843"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=464841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=464841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=464841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}