Introduction
In evaluating the spate of info-stealing malware being distributed over past couple of months, the Zscaler ThreatLabz research team has come across an interesting campaign. The PHP version of Ducktail Infostealer is actively being distributed by pretending to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.
Ducktail has been around since 2021, and is attributed to a Vietnamese threat group. Campaigns to-date have focused on taking over Facebook Business accounts, both to manipulate pages and to access financial information.
This blog will show the attack chain, decipher and explain the stages of execution, and provide technical analysis of the PHP code of Ducktail Infostealer.
Executive summary
- The instances of the Ducktail infostealer were identified in late 2021. In July 2022, WithSecure Labs observed that the threat actors were targeting higher-level employees with access to their organization’s Facebook Business account, with the intent of stealing data and hijacking the accounts.
- Earlier versions (observed by WithSecure Labs) were based on a binary written using .NetCore with Telegram as its C2 Channel to exfiltrate data.
- In August 2022, the Zscaler Threatlabz team saw a new campaign consisting of a new edition of the Ducktail Infostealer with new TTPs.
- Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.
- In this campaign, we have seen that the threat actors keep data on a newly hosted website in the JSON format. This data is used and called later on to perform stealing activities on the victim’s machine. Once the theft is completed, the same website is used to store the stolen data.
- The threat actors are now targeting the public at large, rather than specifically targeting employees with Admin or Finance access to Facebook Business accounts.
- While exploring the campaign, we observed that the malicious executable files are mostly in .ZIP format and hosted on file sharing platforms, posing as cracked or free versions of Office applications, games, subtitle files, porn related files, and others.
Attack Chain & Flow of Execution
The following figure is a pictorial representation of how the PHP version of Ducktail stealer is being distributed and its execution on the victim's machine.
Figure 1: Attack chain & Flow of Execution
Similar to previous attacks, the malicious installer is being hosted at a file hosting website which in our case was “mediafire[.]com”.
However, compared to previous campaigns, changes have been made in the execution of malicious code. Now, the threat actors have switched to a scripting version whereby the main stealer code is a PHP script and not a .Net binary.
For the purpose of analysis, we have taken DF071DF2784573C444CA6E1421E3CB89 md5 to demonstrate the execution flow and to explain the PHP script carved out from the same.
Execution Flow
Upon execution, the fake installer pops-up a ‘Checking Application Compatibility’ GUI in the frontend. In the backend, it generates a .tmp file that re-initiates the installer with “/Silent” parameter and thereafter another .tmp file gets generated. The latter generated .tmp file then drops all the supporting files and malicious files at “%Localappdata%\Packages\PXT\v2-0\” location (in our present scenario) and then executes two processes (as depicted in above figure) to achieve the below mentioned purposes.
Job Scheduling/Persistence:
To achieve persistence, a series of events takes place to execute the malicious payload, named “libbridged.exe”, on the system. Its purpose or functionality is to schedule tasks in three forms to ensure that the malicious code gets executed on a daily basis and on regular intervals.
In order to achieve the same, a PHP script is passed as an input to the php.exe rather than directly leveraging the job scheduling binary. The PHP script (in our present case named as “switcher.php”) consists of code to decrypt a base64 encoded text file (which in our case is named as “switcher.txt”). The execution of the decrypted version of the text file will lead to the execution of the custom job scheduling binary as the final outcome, as shown in the below screenshot.
Figure 2: Job Scheduling
The job scheduling binary is a dotNet binary. The below figure exhibits the code present inside the binary, aiming to schedule tasks at three different levels.
Figure 3: Code of custom Job scheduling binary
Stealing of data and its exfiltration:
Similar to previous steps, the stealer code also gets decrypted at runtime in memory and subsequently performs stealing operations and exfiltration of data. The code explanation of the same will be discussed later. It is worth noting that instead of making a one-go binary that would perform all actions, the threat actors have divided the execution into parts based on their intended purpose. With that, let’s dive into the technical analysis of the Ducktail PHP code.
Code Analysis of Ducktail PHP script
Here, the primary task is to call a PHP script which performs malicious functions in the system. Instead of calling the script directly, it walks through a sequence of steps. We are able to fetch the decoded malicious code through memory and following are the findings of it:
Maware functionality summary
- Fetches browser information installed in the system.
- Pulls out stored information of browser cookies from the system.
- Targets Facebook Business accounts.
- Looks for crypto account information in the wallet.dat file.
- Collects and sends the data to the command and control (C&C) server.
Firstly, the stealer creates PHP Associative Arrays which will be used at the time of sending the data to C&C. Please find the following screenshot for this:
Figure 4: Sending data to command-and-control server
It uses the CURL command for receiving and sending the files over HTTP. Below is the list of switches used by malware during communication :
- CURLOPT_URL : Data to send
- CURLOPT_RETURNTRANSFER : Converts output to a string rather than directly to the screen.
- CURLOPT_ENCODING : tells the server what types of encoding it will accept.
- CURLOPT_MAXREDIRS : maximum number of redirects allowed
- CURLOPT_TIMEOUT : maximum time the transfer is allowed to complete
- CURLOPT_HTTP_VERSION : specifies HTTP protocol version to use
- CURLOPT_CUSTOMREQUEST : Request method such as GET, POST
- CURLOPT_POSTFIELDS : Data to POST to server.
- CURLOPT_SSL_VERIFYPEER : verifies the peer's SSL certificate. Value should be either TRUE or FALSE.
Figure 5: CURL commands to send and receive data
The following table articulates the various functions performed by the stealer:
Command | Description |
upload | Victim sensitive information uploaded to the server |
getTask | Creates the pattern of stolen data which will be sent during POST request |
getMac | Fetches the details of machine ID from the victim system |
readDirs | Gets the details of different directories from which data will be stolen |
deleteAllFolder | Deletes all the files and folders where malware copied the stolen information |
Xcopy with 0755 | Copies files and directories, including subdirectories with 0775 permission, which means read and execute access for everyone and also write access for the owner of the file |
BVZipArchive | Compresses all the stolen files and folders |
Browser | Extracts the information of installed browsers in the victim machine |
parseCookie | Extracts details of browser cookies from the system |
parseChromium | Extracts details of Chrome browser |
parseMoz | Extracts details of Mozilla browser |
Browser Stealing
The malicious script collects information about installed browsers in the system and extracts the required data from it such as machineID, browser version, and filename, and copies this data. It performs following steps during browser stealing:
- Gets the details of profiles used in Chrome browser. Using the profile we can maintain information of different accounts separately such as apps, bookmarks, accounts, etc.
- Gets the details of the local state file in the “%APPDATA%/Google/Chrome/User Data” in Windows. Local State is a JSON file that is located directly under Chrome's user data directory. This file allows you to find the list of created profiles.
- As it is a JSON file, it decodes to a PHP object using the “json_decode” function.
- Once it gets the local state file access, it tries to get the information for the os_crypt field present in the local state file which is base-64 encoded. This includes victims’ profile information and other highly sensitive data protected by OSCrypt by Chrome in the local state file.
- It tries to decode data using an AES 256 decrypt key which is called by currentdata40.exe file. Usually Chrome encrypts its highly sensitive data using AES 256 encryption. This feature is known as local data encryption.
- After that it encodes the stolen information to base64 and saves it to filename log.txt. Cookie information is saved to c.txt and then sent to C&C.
- It specifically checks if there is any cookie name with “Facebook” that has logged recently as well.
Please find the screenshot below:
Figure 6: Browser stealing routine
Targeting Facebook to steal information
The malware scrutinizes the various Facebook pages to steal information from them. These pages belong to Facebook API graph, Facebook Ads Manager, and Facebook Business accounts. It uses the c_user argument which is placed by Facebook to fetch the unique User ID of the victim machine, as shown in the below screenshot.
Figure 7: c_user argument is used to fetch the Facebook user ID
Looking over Facebook Business Ads Manager links, the malware will try to get details of accounts and payment cycles which it will later combine with details that have already been fetched from the local state file.
Figure 8: Malware looks for account details
The following are the details that the malware attempts to fetch from the Facebook Business pages:
- Payment initiated
- Payment required
- Verification Status
- Owner ad accounts
- Amount spent
- Currency details
- Account status
- Ads Payment cycle
- Funding source
- Payment method [ credit card, debit card etc.]
- Paypal Payment method [email address]
- Owned pages.
Figure 9: Account fields being fetched
Network activity
Post infection, the PHP script tries to connect to the C&C server to get the list of contents stored in JSON format, which further will be used to gather information. The URL pattern of the same is shown below:
Figure 10: Retrieving JSON data from command and control site
Instead of using the hardcoded targeted folder names and URLs, the threat actors have kept a list of targeted folders and URLs which gets downloaded from the C&C panel first and then the information is collected.
Figure 11: Contents kept at C&C location which will be used for achieving successful implementation of stealing code
After it has completed its stealing activities, the malware then sends the data to its C&C server in JSON format, as shown in below figure.
Figure 12: Stolen data sent to command and control server
Conclusion
It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancement in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting users at large. Zscaler’s ThreatLabz team is continuously monitoring the campaign and will bring to light any new findings that it will come across.
Zscaler Sandbox Report
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects payloads with following threat name:
Indicators of Compromise (IoCs)
| Md5 | Filename | PDB Path | Purpose |
|---|---|---|---|
| DF071DF2784573C444CA 6E1421E3CB89 | Office Pro 2021.exe | None | To drop supporting files and executing the malicious files |
| 2FE1997F5339F97598DA 1FEE5C1201A4 | Cunprotectdata40.exe | E:\Workspace\Projects\scancookieserver2\ ToolsCheckCookie\CUnProtectData\ obj\Release\cunprotectdata.pdb | To drop supporting files and executing the malicious files |
| F7C7E9C1CD68602F9BBB 5033B3794E26 | Cunprotectdata20.exe | E:\Workspace\Projects\scancookieserver2\ ToolsCheckCookie\CUnProtectData\obj\ Release\cunprotectdata.pdb | customized utility for getting browser password decryption key |
| 8DC37D09F1A77B939A7373 E6134E4824 | libbridged.exe | C:\Users\Elon Musk VB\Workspace\ scancookieserver2\ToolsCheckCookie\ UpdaterTriggerPHP\obj\Release\ libbridged.pdb | Job Scheduling binary |
| 321442C6546A63E5315EB321 341DFBBA | libbridged.exe | E:\Workspace\Projects\scancookieserver2\ ToolsCheckCookie\UpdaterTriggerPHP\ obj\Release\libbridged.pdb | Job Scheduling binary |
| 129a3ff92f28eda3cf830b53f19c acef | switcher.txt | None | encoded text file which consists of commands to execute Job Scheduling binary |
| 73443d64cd55f505a52a3e6705 07e231 | bvone.txt | None | encoded text file which consists of stealer and exfiltration code |
MITRE ATT&CK AND TTP Mapping
ID | Tactic |
T1059 | Command and Scripting Interpreter |
T1064 | Scripting |
T1140 | Deobfuscate/Decode Files or Information |
T1082 | System Information Discovery |
T1083 | File and Directory Discovery |
T1005 | Data from Local System |
T1047 | Windows Management Instrumentation |
T1003 | OS Credential Dumping |
T1018 | Remote System Discovery |
T1518.001 | Security Software Discovery |
