In evaluating the spate of info-stealing malware being distributed over past couple of months, the Zscaler ThreatLabz research team has come across an interesting campaign. The PHP version of Ducktail Infostealer is actively being distributed by pretending to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.
Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information.
This blog will show the attack chain, decipher and explain the stages of execution, and provide technical analysis of the PHP code of Ducktail Infostealer.
The following figure is a pictorial representation of how the PHP version of Ducktail stealer is being distributed and its execution on the victim's machine.
Figure 1: Attack chain & Flow of Execution
Similar to previous attacks, the malicious installer is being hosted at a file hosting website which in our case was “mediafire[.]com”.
However, compared to previous campaigns, changes have been made in the execution of malicious code. Now, the threat actors have switched to a scripting version whereby the main stealer code is a PHP script and not a .Net binary.
For the purpose of analysis, we have taken DF071DF2784573C444CA6E1421E3CB89 md5 to demonstrate the execution flow and to explain the PHP script carved out from the same.
Upon execution, the fake installer pops-up a ‘Checking Application Compatibility’ GUI in the frontend. In the backend, it generates a .tmp file that re-initiates the installer with “/Silent” parameter and thereafter another .tmp file gets generated. The latter generated .tmp file then drops all the supporting files and malicious files at “%Localappdata%\Packages\PXT\v2-0\” location (in our present scenario) and then executes two processes (as depicted in above figure) to achieve the below mentioned purposes.
To achieve persistence, a series of events takes place to execute the malicious payload, named “libbridged.exe”, on the system. Its purpose or functionality is to schedule tasks in three forms to ensure that the malicious code gets executed on a daily basis and on regular intervals.
In order to achieve the same, a PHP script is passed as an input to the php.exe rather than directly leveraging the job scheduling binary. The PHP script (in our present case named as “switcher.php”) consists of code to decrypt a base64 encoded text file (which in our case is named as “switcher.txt”). The execution of the decrypted version of the text file will lead to the execution of the custom job scheduling binary as the final outcome, as shown in the below screenshot.
Figure 2: Job Scheduling
The job scheduling binary is a dotNet binary. The below figure exhibits the code present inside the binary, aiming to schedule tasks at three different levels.
Figure 3: Code of custom Job scheduling binary
Similar to previous steps, the stealer code also gets decrypted at runtime in memory and subsequently performs stealing operations and exfiltration of data. The code explanation of the same will be discussed later. It is worth noting that instead of making a one-go binary that would perform all actions, the threat actors have divided the execution into parts based on their intended purpose. With that, let’s dive into the technical analysis of the Ducktail PHP code.
Here, the primary task is to call a PHP script which performs malicious functions in the system. Instead of calling the script directly, it walks through a sequence of steps. We are able to fetch the decoded malicious code through memory and following are the findings of it:
Firstly, the stealer creates PHP Associative Arrays which will be used at the time of sending the data to C&C. Please find the following screenshot for this:
Figure 4: Sending data to command-and-control server
It uses the CURL command for receiving and sending the files over HTTP. Below is the list of switches used by malware during communication :
Figure 5: CURL commands to send and receive data
The following table articulates the various functions performed by the stealer:
Command |
Description |
upload |
Victim sensitive information uploaded to the server |
getTask |
Creates the pattern of stolen data which will be sent during POST request |
getMac |
Fetches the details of machine ID from the victim system |
readDirs |
Gets the details of different directories from which data will be stolen |
deleteAllFolder |
Deletes all the files and folders where malware copied the stolen information |
Xcopy with 0755 |
Copies files and directories, including subdirectories with 0775 permission, which means read and execute access for everyone and also write access for the owner of the file |
BVZipArchive |
Compresses all the stolen files and folders |
Browser |
Extracts the information of installed browsers in the victim machine |
parseCookie |
Extracts details of browser cookies from the system |
parseChromium |
Extracts details of Chrome browser |
parseMoz |
Extracts details of Mozilla browser |
The malicious script collects information about installed browsers in the system and extracts the required data from it such as machineID, browser version, and filename, and copies this data. It performs following steps during browser stealing:
Please find the screenshot below:
Figure 6: Browser stealing routine
The malware scrutinizes the various Facebook pages to steal information from them. These pages belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. It uses the c_user argument which is placed by Facebook to fetch the unique User ID of the victim machine, as shown in the below screenshot.
Figure 7: c_user argument is used to fetch the Facebook user ID
Looking over Facebook Business Ads Manager links, the malware will try to get details of accounts and payment cycles which it will later combine with details that have already been fetched from the local state file.
Figure 8: Malware looks for account details
The following are the details that the malware attempts to fetch from the Facebook Business pages:
Figure 9: Account fields being fetched
Post infection, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which further will be used to gather information. The URL pattern of the same is shown below:
Figure 10: Retrieving JSON data from command and control site
Instead of using the hardcoded targeted folder names and URLs, the threat actors have kept a list of targeted folders and URLs which gets downloaded from the C&C panel first and then the information is collected.
Figure 11: Contents kept at C&C location which will be used for achieving successful implementation of stealing code
After it has completed its stealing activities, the malware then sends the data to its C&C server in JSON format, as shown in below figure.
Figure 12: Stolen data sent to command and control server
It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large. Zscaler’s ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across.
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects payloads with following threat name:
Md5 | Filename | PDB Path | Purpose |
---|---|---|---|
DF071DF2784573C444CA 6E1421E3CB89 |
Office Pro 2021.exe | None | To drop supporting files and executing the malicious files |
2FE1997F5339F97598DA 1FEE5C1201A4 |
Cunprotectdata40.exe | E:\Workspace\Projects\scancookieserver2\ ToolsCheckCookie\CUnProtectData\ obj\Release\cunprotectdata.pdb |
To drop supporting files and executing the malicious files |
F7C7E9C1CD68602F9BBB 5033B3794E26 |
Cunprotectdata20.exe | E:\Workspace\Projects\scancookieserver2\ ToolsCheckCookie\CUnProtectData\obj\ Release\cunprotectdata.pdb |
customized utility for getting browser password decryption key |
8DC37D09F1A77B939A7373 E6134E4824 |
libbridged.exe | C:\Users\Elon Musk VB\Workspace\ scancookieserver2\ToolsCheckCookie\ UpdaterTriggerPHP\obj\Release\ libbridged.pdb |
Job Scheduling binary |
321442C6546A63E5315EB321 341DFBBA |
libbridged.exe | E:\Workspace\Projects\scancookieserver2\ ToolsCheckCookie\UpdaterTriggerPHP\ obj\Release\libbridged.pdb |
Job Scheduling binary |
129a3ff92f28eda3cf830b53f19c acef |
switcher.txt | None | encoded text file which consists of commands to execute Job Scheduling binary |
73443d64cd55f505a52a3e6705 07e231 |
bvone.txt | None | encoded text file which consists of stealer and exfiltration code |
ID |
Tactic |
T1059 |
Command and Scripting Interpreter |
T1064 |
Scripting |
T1140 |
Deobfuscate/Decode Files or Information |
T1082 |
System Information Discovery |
T1083 |
File and Directory Discovery |
T1005 |
Data from Local System |
T1047 |
Windows Management Instrumentation |
T1003 |
OS Credential Dumping |
T1018 |
Remote System Discovery |
T1518.001 |
Security Software Discovery |
By submitting the form, you are agreeing to our privacy policy.