Cybersecurity researchers have discovered a new version of malware from the “Ducktail” family to steal Facebook Business accounts, a new report has shown.

According to the cybersecurity company Kaspersky, cybercriminals are using malicious browser extensions to target company employees who either hold fairly senior positions or work in HR, digital marketing, or social media marketing.

“Their ultimate goal is to hijack Facebook Business accounts, so it makes sense that the attackers are interested in folks most likely to have access to them,” the researchers said.

Ducktail is a specifically designed information stealer with serious consequences such as privacy violations, financial losses, and identity theft.

To hack users’ FB accounts, cybercriminals behind Ducktail send out malicious archives to their potential victims that contain bait in the form of theme-based images and video files on a common topic.

Inside these archives also include executable files, which contain PDF icons and very long file names to divert the victim’s attention from the exe extension.

Buy Me A Coffee

Additionally, the names of the fake files appeared to be carefully chosen for relevance so as to persuade the recipients to click on them.

In the fashion-themed campaign, the names referred to “guidelines and requirements for candidates”, but other bait like, say, price lists or commercial offers, can be used as well, the report noted.

After first opening the exe file in the hopes that the victim will not notice anything unusual, it displays the contents of a PDF file that the malicious code has embedded in it.

Understanding Spear Phishing: The Personalized Cyber Threat

Notably, the malware simultaneously scans all desktop shortcuts, the Start menu, and the Quick Launch toolbar.

According to the report, the malware searches for shortcuts to Chromium-based browsers, such as Google Chrome, Microsoft Edge, Vivaldi, and Brave.

“Having found one, the malware alters its command line by adding an instruction to install a browser extension, which is also embedded in the executable file,” said the researchers.

“Five minutes later, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts,” they added.