Malware has been rampant for a while now, and there have been many reports of cyberattacks where the user's assets or information had been stolen. As of now, there is a new type of malware that has been targeting Facebook accounts, as mentioned by Digital Trends.
It's a new version of the Ducktail malware which was first detected in July. The malware reportedly collects all Facebook data that is stored in the infected computer. This could pose a threat to those who have sensitive information saved within the app.
What is the Malware's Target?
It's been established that the malware targets Facebook accounts, but initially, it was aimed at employees from organizations that work on the financial and marketing aspects of the company. Since the marketing is in charge of running ad campaigns, they will likely have a payment method saved within Facebook.
If the account is confirmed to be a business account, then the malware will go through extra steps to steal additional information. Those include cycles, amounts spent, owner details, verification status, owned pages, PayPal address, and more.
The malware will allow the hackers to redirect the payments into their own bank accounts, or they can run advertisements themselves to affect more users. This could be the beginning of their expansion from Facebook Business accounts to Facebook users as well.
How Does it Work?
According to Bleeping Computer, the phishing campaign is spreading malware written in PHP, and it steals Windows information like Facebook accounts, browser data, and cryptocurrency wallets.
It will then exfiltrate the data it has stolen to a private Telegram channel which acted as a C2 server. The stolen data may then be used to commit financial fraud or conduct malicious advertising.
People should watch out for fake lures that may disguise themselves in the form of games, subtitle files, adult videos, and cracked Microsoft Office apps. The infected files would even appear to be hosted in ZIP format which also appears on hosting services that usually do not hold infected files.
Once the file is unzipped and installed, it will do so in the background and display pop-ups like "Checking Application Compatibility" in the front. It will then be extracted to the %LocalAppData%\Packages\PXT folder.
The .tmp file that comes with the installer will run a PHP script that loads and executes a custom task scheduler, and at the same time it runs a .bat file which also executes a PHP script, but in this instance, it loads and runs code for stealing data, which will be led to the C2 server of the hacker.
What Can I Do to Prevent This?
First things first, update your antivirus software so the new patches can catch or block the specific malware. If there are no patches yet, steer clear of shady sites. That includes adult video sites, as well as torrent sites.
Don't download files from untrusted websites. You won't know which ones have the new malware that your antivirus can't protect your computer from. Yes, the cracked software might be enticing as opposed to paying for it, but it might do you more harm than good.
Related Article: How to Secure Your Social Media Accounts: Facebook, TikTok, and More
