|
WithSecure recently unveiled a malicious campaign dubbed “Ducktail,” which trailed its sights on Facebook business owners and advertisers. Believed to be run by Vietnamese operators, Ducktail uses malware to steal data from victims and hijack vulnerable Facebook business properties.
The WithSecure report enumerated 1,885 indicators of compromise (IoCs). We used 1,747 of these (i.e., 1,739 email addresses and eight domains) as jump-off points for our IoC expansion exercise. Our deep dive aided by extensive WHOIS, IP, and DNS intelligence led to the following discoveries:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our investigation by observing the IoCs WithSecure identified.
We subjected the domains identified as IoCs to a bulk WHOIS lookup, which showed that only two of them had retrievable current WHOIS records—ductai[.]xyz and ductai90[.]com. Apart from the use of the string “ductai,” though, they didn’t share any other similarities, as evidenced by the following:
Next, we conducted DNS lookups for the domains and found that only one—ductai[.]xyz—resolved to a shared IP address, specifically 58[.]158[.]177[.]102. As with its WHOIS record, an IP geolocation lookup for this host showed Japan as its origin. A malware check revealed the host is malicious.
Finally, we subjected the email addresses identified as IoCs to a bulk email verification lookup and found that only 25% were valid. The remaining 75% all failed the Simple Mail Transfer Protocol (SMTP) check, which meant they can’t send or receive messages.
We sought to find potentially connected artifacts and began by obtaining a list of IP-connected domains via DNS lookups. At least 300 domains shared the malicious IP address 58[.]158[.]177[.]102 as host. The high number of domains indicates the IP address is probably a shared host. However, a bulk malware check for these web properties showed that 27 were malicious.
Earlier, we noted the appearance of the text string “ducktai” in two of the IoCs. We used the string as a Domains & Subdomains Discovery search term to identify other potential threat vectors. That led to the discovery of 170 other domains. None of them are currently being detected by malware engines but we did notice similarities between the 66 with retrievable WHOIS records and the IoCs, including:
Screenshot lookups for the “ducktai”-containing domains also yielded interesting results, including:
The domains pointed to sites with common themes, including:
Tailoring services, clothing, and accessories
Simulated content
Construction
Cars and accessories
Food, bars, restaurants, and events
Note that none of the domains above are malicious, but given that they shared the threat’s name, should any of them turn out to be vulnerable to exploitation, the threat actors may be tempted to use them for malicious campaigns. The diagram shows how many of the additional domains hosted content that fell under the various themes we identified above and other ones.
Our IoC expansion exercise allowed us to identify a malicious IP address and 27 malware-laden domains. We also identified nearly 500 additional artifacts.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byRadix