Home / Industry

Own a Facebook Business? Beware of Ducktail

WithSecure recently unveiled a malicious campaign dubbed “Ducktail,” which trailed its sights on Facebook business owners and advertisers. Believed to be run by Vietnamese operators, Ducktail uses malware to steal data from victims and hijack vulnerable Facebook business properties.

The WithSecure report enumerated 1,885 indicators of compromise (IoCs). We used 1,747 of these (i.e., 1,739 email addresses and eight domains) as jump-off points for our IoC expansion exercise. Our deep dive aided by extensive WHOIS, IP, and DNS intelligence led to the following discoveries:

  • Only 429 of the email addresses identified as IoCs were valid.
  • Only one of the IoCs currently resolved to an IP address—ductai[.]xyz pointed to 58[.]158[.]177[.]102.
  • At least 300 other domains shared ductai[.]xyz’s IP host, 27 of which were malicious.
  • A total of 170 domains contained the string “ductai,” akin to two of the identified IoCs.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

At First Glance

We began our investigation by observing the IoCs WithSecure identified.

We subjected the domains identified as IoCs to a bulk WHOIS lookup, which showed that only two of them had retrievable current WHOIS records—ductai[.]xyz and ductai90[.]com. Apart from the use of the string “ductai,” though, they didn’t share any other similarities, as evidenced by the following:

  • Ductai[.]xyz’s registrar is GoDaddy, LLC, while ductai90[.]com’s was GMO Internet, Inc.
  • Ductai[.]xyz was created way back on 14 May 2020, while ductai90[.]com was created on 24 November 2022.
  • Only ductai90[.]com used a privacy protection service, specifically provided by Value-Domain. Ductai[.]xyz left its registrant email address field blank.
  • Finally, ductai[.]xyz named the U.S. as its registrant country, while ductai90[.]com indicated Japan.

Next, we conducted DNS lookups for the domains and found that only one—ductai[.]xyz—resolved to a shared IP address, specifically 58[.]158[.]177[.]102. As with its WHOIS record, an IP geolocation lookup for this host showed Japan as its origin. A malware check revealed the host is malicious.

Finally, we subjected the email addresses identified as IoCs to a bulk email verification lookup and found that only 25% were valid. The remaining 75% all failed the Simple Mail Transfer Protocol (SMTP) check, which meant they can’t send or receive messages.

The Deep Dive

We sought to find potentially connected artifacts and began by obtaining a list of IP-connected domains via DNS lookups. At least 300 domains shared the malicious IP address 58[.]158[.]177[.]102 as host. The high number of domains indicates the IP address is probably a shared host. However, a bulk malware check for these web properties showed that 27 were malicious.

Earlier, we noted the appearance of the text string “ducktai” in two of the IoCs. We used the string as a Domains & Subdomains Discovery search term to identify other potential threat vectors. That led to the discovery of 170 other domains. None of them are currently being detected by malware engines but we did notice similarities between the 66 with retrievable WHOIS records and the IoCs, including:

  • A total of 24 additional domains (21 for GoDaddy and three for GMO Internet) shared the IoCs’ registrars.
  • One additional domain shared ductai[.]xyz’s creation month (May 2020).
  • Some 34 additional domains (28 for the U.S. and six for Japan) shared the IoCs’ registrant countries.

Screenshot lookups for the “ducktai”-containing domains also yielded interesting results, including:

  • Ducktails-watusi[.]com looks like a Facebook business page, akin to Ducktail’s targets.
  • The domains pointed to sites with common themes, including:

    Tailoring services, clothing, and accessories

    Simulated content

    Construction

    Cars and accessories

    Food, bars, restaurants, and events

Note that none of the domains above are malicious, but given that they shared the threat’s name, should any of them turn out to be vulnerable to exploitation, the threat actors may be tempted to use them for malicious campaigns. The diagram shows how many of the additional domains hosted content that fell under the various themes we identified above and other ones.


Our IoC expansion exercise allowed us to identify a malicious IP address and 27 malware-laden domains. We also identified nearly 500 additional artifacts.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API