According to the report, the malware searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, and Brave.
“Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file,” said the researchers
New Delhi:
Cybersecurity researchers have discovered a new version of malware from the “Ducktail” family to steal Facebook Business accounts, a new report has shown.
According to the cybersecurity company Kaspersky, cybercriminals are using malicious browser extensions to target company employees who either hold fairly senior positions or work in HR, digital marketing, or social media marketing.
“Their ultimate goal is to hijack Facebook Business accounts, so it makes sense that the attackers are interested in folks most likely to have access to them,” the researchers said.
Ducktail is a specifically designed information stealer with serious consequences such as privacy violations, financial losses, and identity theft.
To hack users’ FB accounts, cybercriminals behind Ducktail send out malicious archives to their potential victims that contain bait in the form of theme-based images and video files on a common topic.
Inside these archives also include executable files, which contain PDF icons and very long file names to divert the victim’s attention from the exe extension.
Additionally, the names of the fake files appeared to be carefully chosen for relevance so as to persuade the recipients to click on them.
In the fashion-themed campaign, the names referred to “guidelines and requirements for candidates”, but other bait like, say, price lists or commercial offers, can be used as well, the report noted.
After first opening the exe file in the hopes that the victim will not notice anything unusual, it displays the contents of a PDF file that the malicious code has embedded in it.
Notably, the malware simultaneously scans all desktop shortcuts, the Start menu, and the Quick Launch toolbar.
According to the report, the malware searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, and Brave.
“Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file,” said the researchers.
“Five minutes later, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts,” they added.
Meanwhile, Microsoft has discovered a supply chain attack by Diamond Sleet (formerly ZINC), a North Korea-based threat actor known to target media, defense, and information technology (IT) industries globally. The attack involves a malicious variant of a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.
Diamond Sleet focuses on espionage, theft of personal and corporate data, financial gain, and corporate network destruction. The group is known to use a variety of custom malware that is exclusive to it.
This suspicious activity associated with the modified CyberLink installer file was observed by Microsoft Threat Intelligence researchers as early as October 20, 2023. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
IANS