Lachlan Godding 06 Sep 2023

Quacking the Code: An Analysis of the Ducktail Malware Operation

SenseOn has analysed several variants of a highly targeted malware operation, dubbed ‘ducktail’, which is delivered to victims via tailored spearphishing attacks. While a WithSecure report indicates that this malware has been in circulation since as early as 2018, SenseOn has observed a recent increase in the number of attacks utilising Ducktail, specifically using LinkedIn as the delivery mechanism. 

Thought to be developed by Vietnamese threat actors, Ducktail targets users that are likely to have access to Facebook Business accounts, such as high-level marketing employees. The malware steals browser cookies and exploits authenticated Facebook sessions to gain control of victim’s Facebook Business accounts. Once hijacked, the threat actors leverage these accounts to run ads for financial gain.

Sample 1

An archive file containing the Ducktail payload, ‘Hyundai Digital Marketing.zip’, is delivered to the target via a spearphishing link, sent a social media platform such as LinkedIn. The unzipped folder contents and name are specially crafted by the threat actor to entice the victim into downloading and opening the file. The directory itself contains several benign files located in the ‘2023 product’ and ‘Videos’ folders, to further the image of legitimacy conveyed by the sender.

Despite this, there are two files, both with file names that indicate job or salary information and a misleading icon to suggest a PDF document format.

Looking at the properties of these files, however, it can be clearly seen that they are not PDF documents and are executables, with an original filename of ‘ZipBro1Wall.dll’, created relatively recently in May of this year. Also noteworthy is the large size of the files, at approximately 70 MB, which could indicate these are self-contained applications that can execute without requiring any dependencies on the victim machine.

The first two bytes, “4D 5A”, of the suspect file correspond to the “MZ” header, indicating that the file is indeed a Portable Executable (PE) file.

Detect It Easy (DIE) additionally flags this file as being compiled in C/C++ using Microsoft Visual Studio.

By further analysing the strings found in the file and filtering for any references to GitHub, we discovered a significant number of calls to .NET repositories, indicating that the binary may actually be a .NET assembly.

Opening this file using the ILSpy .NET decompiler, and navigating to the dependencies of ‘ZipBro1Wal’, several relevant packages can be found including: 

• Htmlagilitypack – This is used to read, write and update HTML documents and could be abused to harvest sensitive information from web pages
• sqlite – Given that many browsers store cookies locally using sqlite, the malicious application may abuse this to steal cookies
• OTP.NET – This is used to generate one-time passwords and may be abused to intercept one-time passwords or MFA codes
• Portable.BouncyCastle – As an encryption library, this could be misused by the software for nefarious activities such as encryption of malicious communications, password cracking or digital signature forgery
• RedGate.SmartAssembly – SmartAssembly is a .NET obfuscator
• Telegram.Bot – This is used to connect to Telegram for exfiltration of data to attacker-controlled infrastructure

A closer look at the ‘ZipBro1Wal’ assembly reveals several additional details, including the supposed responsible company ‘SmartBundle’. The description in broken English indicates that the software can be used to fabricate job information used in the initial infection stages.

Also included in this section, is a reference to a GitHub repository under the URL ‘hxxps[://]github[.]com/vi3k6i5/flashtext’. The FlashText library can be used to extract keywords from text, replace keywords in text, and find similar text. In this scenario, the malware authors are likely abusing this to generate phishing and spam messages, created from legitimate ones and tailored to a certain role or organisation.

Looking at the code of the main app, ‘ZipBro1Wal.dll’, the obfuscation by SmartAssembly is very apparent.

Executing the original downloaded file, ‘the role of digital marketing manager of hyundai.exe’, in a sandbox environment monitored by the SenseOn agent, no obvious signs of malicious activity can be seen from the users perspective, with MSEdge opening a decoy PDF file corresponding to the filename selected.

Despite this, unbeknownst to the user, the malicious binary opens a headless instance of MSEdge to visit ‘hxxps[://]getip[.]pro’. The below telemetry snippet shows the command run by the malicious process.

The ‘getip[.]pro’ domain returns IP address and browser information for the victim device, presumably to be exfiltrated. This is apparent when analysing the URL in a sandbox.

Further analysing the relevant telemetry collected by the SenseOn agent, there are several network connections over TLS from the malicious executable to Telegram domain ‘api[.]telegram[.]org’, with approximately 190 KBs of data exfiltrated. 

The observed malicious activity triggers multiple SenseOn detections meaning that, while the malware hides its malicious behaviour from the end user, it can still be detected on devices monitored by the SenseOn agent.

Examining the ‘C:\Users\<User>\AppData\Local\Temp’ folder post-execution, three new files of interest, ‘sdc_123’, ‘his_ssdc_temp’ and ‘tmp_cap_583’ can be seen. Examining these files more closely, they appear to contain the sensitive information stolen by the malware for exfiltration to Telegram.

More specifically, the ‘sdc_123’ file contains detailed information about the victim device including IP address, physical location, hardware information and browser information.

Meanwhile, the ‘tmp_cap_583’ JPG file is a screenshot of the victim device, just after execution when the decoy PDF file is opened.

Finally, and most significantly, the ‘his_ssdc_tmp’ file is an sqlite file containing browser cookie information including session information, stored credentials along with other information about the victim including browsing history, downloads and recently accessed files.

Opening this file in ‘DB Browser for SQLite’ shows the various tables of sensitive data captured from the victim browser 

Once execution occurs, the malware continues to run as a background process. 

This background process periodically calls out to the ‘api[.]telegram[.]org’ domain and uploads a small amount of data. This coincides with updates to the three previously mentioned files of interest, meaning the victims’ information is periodically stolen and exfiltrated.

Despite this, there is no clear attempt to establish persistence. There is no evidence of any residual artefacts or the ‘ZipBro1Wal’ process following a system restart of the infected machine.

Several other Ducktail samples analysed utilised the ‘ZipBro1Wall.dll’ DLL as the main application, with varying decoy documents and titles used to manipulate the victim into running the file.

Sample 2

Analysing a different sample of the Ducktail malware, delivered in a folder named ‘Job description_salary_policy_marketing products_new_list_2023’, a similar but noticeably less sophisticated attempt to convey a sense of legitimacy can be seen from the images provided in addition to the malicious executables.

Unlike the first sample analysed, the malicious binaries contained within this folder have access to a code signing certificate. This certificate, which was signed on June 14th, 2023, has the Vietnamese name ‘NHIEM HUU HAN THIET BI NOI THAT TAKASY’ (translating to ‘TAKASY FURNITURE EQUIPMENT LIMITED’). This was common among analysed samples containing code signing certificates, with other Vietnamese names beginning with ‘CONG TY NHH’ (roughly translating to ‘limited company’) being prevalent. 

Interestingly, included in this certificate is an email address ‘tadchung_mkt@noithattakasy[.]store’, however, checking this address and the corresponding domain ‘noithattakasy[.]store’ against OSINT indicates this is not an active email address. Following a similar analysis to sample 1, these executables are also identified as .NET assemblies. Opening the ‘latest_product_list_and_digital_development_campaigns_2023.exe’ file in ILSpy, the malicious application ‘hm7ig0kfskp.dll’ can be seen.

Analysing the dependencies, there are some key alternative packages compared to the first sample.

• Dapper – This is used to access databases using SQL queries. This could potentially be abused to perform SQL injection attacks or steal cookies.
• Win32.Registry – This is used to access the Windows registry, likely to either steal sensitive data or establish persistence on the infected machine.

Navigating to the program entry point, ‘TestNet5.Program.Main’, there is an unusual namespace, ‘qhqm0rfku7588brc’, in use. Further analysing this namespace, there are a large number of unusually named functions that employ a variety of methods to obfuscate strings used in the main function. Included in these methods are: Base64 encoding, UTF8 encoding and random string concatenation.

Executing this malware sample in a sandbox environment, the observed activity was very similar to the first sample analysed. A headless browser reached out to the same ‘getip[.]pro’ domain for device information. Next, the malware made a connection to ‘api[.]telegram[.]org’, exfiltrating a small amount of data extracted from the browser. Unlike the previous example, however, this sample makes two outbound connections to IP addresses associated with Google just prior to the observed malicious activity.

While the first sample opened up a decoy PDF document to deceive the user with a sense of legitimacy, this sample takes much less care, displaying nothing upon execution. Similar to the previous sample, the malicious process, ‘hm7ig0kfskp’, continues to run as a background process.

Both samples utilise the same JA3 hash, ‘3b5074b1b5d032e5620f69f9f700ff0e’, as shown by the TLS telemetry snippet collected by the SenseOn agent below. Unfortunately, however, this JA3 hash is also used by a number of legitimate Windows tools so cannot be used to accurately identify malicious activity  

Indicators of Compromise (IOCs)

SIGMA Rules

title: Headless Browser Instance
description: Detects instances of headless browsers running
status: experimental
author: Lachlan Godding
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\opera.exe'
- '\brave.exe'
CommandLine|contains: '--headless'
CommandLine|contains: 'dump-dom'
condition: selection
level: high

title: Telegram API Query
description: Detects DNS queries to api.telegram[.]org
status: experimental
author: Lachlan Godding
logsource:
category: dns
detection:
selection:
query: 'api.telegram.org'
condition: selection
level: medium

Yara Rules

rule ducktail_ZipBro1Wal {
meta:
description = "Detects Ducktail samples using the ZipBro1Wal payload"
author = "Lachlan Godding"
strings:
#dependencies
$a1 = "Telegram.Bot" ascii fullword
$a2 = "Portable.BouncyCastle" ascii fullword
$a3 = "Microsoft.Data.Sqlite" ascii fullword
$a4 = "SmartAssembly" ascii fullword
$a5 = "Otp.NET"


$b1 = "SDCBundle" ascii fullword
$b2 = "AppRunHandler" ascii fullword
$b3 = "CryptService" ascii fullword
$b4 = "FileUtils" ascii fullword
$b5 = "SmartBundle" ascii fullword
$c1 = "GUID_APP" ascii fullword
$c2 = "typeName" ascii fullword
$c3 = "methodName" ascii fullword
condition:
uint16(0) == 0x5a4d #PE
and 4 of ($a*)
and ( 2 of ($b*) or 2 of ($c*) )
}

rule ducktail_cong {
meta:
description = "Detects Ducktail samples using the hm7ig0kfskp payload"
author = "Lachlan Godding"
strings:
$a1 = "Telegram.Bot" ascii fullword
$a2 = "Portable.BouncyCastle" ascii fullword
$a3 = "Sqlite" ascii fullword
$a4 = "Dapper"


$b1 = "Cryptor" ascii fullword
$b2 = "FileOpenHandler" ascii fullword
$b3 = "NewData" ascii fullword
$b4 = "TestNet5" ascii fullword


$c1 = "CONG" ascii fullword
$c2 = "noithattakasy.store" ascii fullword
condition:
uint16(0) == 0x5a4d
and all of ($a*)
and ( 2 of ($b*) or 1 of ($c*) )
}