A Vietnam-based cybercrime operation named Ducktail is continuously evolving and expanding its operations against individuals and companies operating on Facebook’s Ads and Business platform.
Researchers from WithSecure have released a warning regarding fresh developments of the Ducktail infostealer. The most recent campaigns use innovative spear-phishing techniques on WhatsApp. The attackers have been using a new malware variant built with the.NET 7 NativeAOT feature but using the same code base since early September. In order to avoid being discovered, the attackers returned to self-contained.NET Core 3 Windows binaries in October.
These binaries contain anti-analysis code that was copied from GitHub. It has a more reliable technique for getting access to attacker-controlled email addresses from its C2 server.