Ducktail has been tracked hacking Facebook Business accounts, using malware to steal information and hijack accounts to run their own ads with the victim's money.

The cybercriminal operation has compromised business accounts using WhatsApp, which resulted in a loss of up to $600,000 in advertising credits, Bleeping Computer writes.

Ducktail's Tactics Are Evolving As It Gets To High-Privilege Roles

Ducktail, which is believed to be based in Vietnam, was first discovered earlier this year when it targeted Facebook business accounts that let companies reach specific audiences through paid campaigns.

The hackers used to introduce info-stealing malware through LinkedIn, launching the malware file with names relating to brands, products, and other information relevant to the victim. 

However, to avoid detection, Ducktail operators pivoted with their tactics, targeting thor newest victims over WhatsApp with malicious payloads to get access to Facebook business accounts.

Researchers say that these business accounts are often associated with multiple email addresses with various permissions for the admin, employees, and finance analysts and editors.

According to Dark Reading, when hackers like Ducktail gain access to finance editor roles on compromised Facebook business accounts, they can modify credit card information and finance details.

This would then allow the cybercriminals to add other business to the credit card and monthly invoices, and use the credit card information to pay for ads they run.

Once the malware is launched into the systems, the hackers can steal cookies from Facebook sessions, Google Chrome, Microsoft Edge, Brave, and Firefox.

With the session cookies, the hackers interact with Facebook endpoints from the victim's machine, and collect more information hackers use to impersonate victims from other systems.

The hijacked business account could then be used for advertising, fraud, spreading information, and blackmailing a company by locking them out of their accounts.

Read More: PHP Malware Steals Personal Data, Information via Facebook Accounts  

The Targeted Attacks Use New Malware Variants

In their campaign, Ducktail's operators identify organizations they can target, and choose individuals within the company to lure in on a spear-phishing attack.

The malware, which is spread through WhatsApp, steals names, verification stats, ad speeding limits, roles, ad account permissions, permitted tasks, and access status among others.

However, Bleeping Computer says that the operator's new campaign that fetches email addresses directly from command-and-control (C2) channels hosted on Telegram.

In the new campaign, the hackers are now using a new variant of malware called .Net 7 Native AOT that allows compiling the binary without a .Net runtime.

Upon the launch of this malware, it establishes a connection to the C2 to receive a list of attacker-controlled emails to proceed with the hijack.

Because of the hijacking incidents, companies in the advertising industry have reported that they have experienced direct financial damage between $100,000 and $600,000.

In relation to this, Dark Reading said that organizations should enforce applications to prevent unauthorized operations, and ensure that the company accounts are properly protected.

Several organizations also took steps to mitigate their exposure to Ducktail and other similar attack campaigns, starting with spear-phishing scam awareness.

Related Article: New Phishing Scam Exploits Twitter's Verification Issues