New ‘Ducktail’ malware hijacking Facebook business accounts

26 Jul 2022

Image: © Aleksei/

WithSecure said the Ducktail operation looks for targets on LinkedIn and seeks those who have high-level access to Facebook business accounts.

An ongoing cybercriminal operation is trying to hijack Facebook business accounts using infostealer malware, according to cybersecurity firm WithSecure.

The operation, dubbed Ducktail, is targeting individuals and organisations using Facebook’s ads and business tools. WithSecure said the malware is the first of its kind that is specifically designed to hijack Facebook business accounts.

The company, which is the enterprise security spin-off of F-Secure, found that the threat actor has been actively developing and distributing this malware since the latter half of 2021 and that the motive appears to be financial.

In order to improve the chances of hijacking business accounts, WithSecure said the operation is scouting for individual targets on LinkedIn and hitting them with a spear phishing campaign. The threat actor selects users that are likely to have high-level access to a Facebook business account, especially those with admin privileges.

“We believe that the Ducktail operators carefully select a small number of targets to increase their chances of success and remain unnoticed,” said WithSecure intelligence researcher Mohammad Kazem Hassan Nejad.

“We have observed individuals with managerial, digital marketing, digital media and human resources roles in companies to have been targeted.”

WithSecure said the malware was often delivered to these targets as an archive file, containing the malware executable alongside related images, documents and video files.

The malware was then designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal info from the victim’s account and ultimately hijack any Facebook business account they have access to.

The cybersecurity company said with “high confidence” that the operation is conducted by a Vietnamese threat actor. However, there is no clear preference for which region or country the operation targets, as it has been observed in Europe, North America, the Middle East, India and the Philippines.

WithSecure said it can’t determine the success the operation has had in getting past Facebook’s security. However, it found that the Ducktail operation is continuously updating the malware to bypass Facebook security features more effectively.

WithSecure said those with admin access for a Facebook business account should utilise endpoint detection and response technology. They should also review their accounts and revoke admin access for unknown users.

“If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with,” Hassan Nejad said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic