Ducktail Malware Returns With New PHP Variant

An advanced PHP variant of the Ducktail malware poses a risk to Facebook users.

On October 13th, 2022, ZScaler, a cloud security firm, published a blog post detailing this latest discovery. The new PHP version is being distributed by “pretending to be a free/cracked program installer.” It also targets numerous platforms, such as Telegram and Microsoft Office applications.

This revised version of the malware uses a PHP script instead of the previously used .Net binary to execute the malware. When the app is installed, the victim is told it is “checking application compatibility.” In reality, two .tmp files are generated. The file then executes two processes to steal data.

The original version of the Ducktail malware was discovered in late 2021. A Vietnamese operator used it to hack into Facebook Business and Ads Manager accounts.

The original strain of Ducktail, as reported by ZScaler, has the ability to steal sensitive financial information and manipulate website content. These cyberattacks were exceptionally well-planned and managed to evade Facebook’s security measures. The attacks targeted high-ranking employees with advanced permissions in a company.

Additionally, the Ducktail malware can attempt to access two-factor authentication codes to bypass extra account security. Ducktail also targets various data, such as client information, email addresses, and payment card information.

Similarly, the PHP variant of Ducktail malware is intent on stealing sensitive data that can be exploited for financial gain. In addition to payment information, this variant of PHP Ducktail malware also targets email addresses, payment records, funding sources, account statuses, and funding records.

Ducktail’s PHP variant and original Ducktail share many similarities, making them a significant threat to Facebook accounts. To enhance the effectiveness of Ducktail’s attacks, Ducktail’s developers are likely to continue developing future versions of their original code. Therefore, users should be vigilant in protecting their account information and be aware of the dangers of this malware.

Akamai Finds 13 Million Malicious Domains Each Month

According to a new Akamai analysis, the company’s experts classified about 79 million domains as dangerous in the first half of 2022; based on a NOD (newly observed domain) dataset, this is about 13 million malicious domains per month, representing 20.1% of all the successfully resolved NODs.

According to Akamai, a NOD is any domain queried for the first time in the last 60 days. And by “malicious,” it means a domain name that leads to a site meant to phish, spread malware or do some other kind of damage online.

Akamai said, “[The NOD dataset] is where you find freshly registered domain names, typos, and domains that are only very rarely queried on a global scale.” The company observes about 12 million new NODs daily, of which slightly more than 2 million are successfully resolved.

The organization uses relatively simple procedures to determine whether a domain is harmful or not. With the assistance of the larger cybersecurity community, Akamai compiled a 30-year predictive list of known domain generation algorithms (DGAs) that may be used to detect domains registered with DGAs.

Since DGA domains may be created in quantity for even temporary campaigns, hackers frequently use them to distribute malware and host phishing pages. Think of DGAs as places on the internet where malware and other things can meet up and use them.

According to the company, most of Akamai’s malicious domain detections come from the “more than 190 NOD-specific detection criteria” it employs for NOD-based detection. They also mentioned that among the 79 million malicious NODs it discovered in the first half of the year, there were only 0.00042 percent false positives.

There are other options than Akamai’s NOD detection, such as Cisco’s “newly seen domain” detection system, which scans DNS data and alerts users to potentially dangerous websites.

Although it’s unclear how those services stack up against Akamai’s, their end objectives seem to be comparable and indicate that NODs are a well-known security issue that other businesses are seeking to address.

Updated Malware Attacks Point of Sale Devices

This year, security experts have found three updated versions of Prilex malware that target point-of-sale systems.

In 2014, Prilex was a type of malware that targeted ATMs. It switched to PoS (point of sale) devices in 2016, but it wasn’t until 2020 that the malware reached its peak. After that, it faded away in 2021.

Analysts at Kaspersky say that Prilex is back, and it looks like a more advanced and dangerous version of the malware has resurfaced this time. The latest version of this malware can create EMV (Europay, MasterCard, and Visa) cryptograms, which VISA introduced as a transaction validation system to help find and stop payment fraud.

The Kaspersky report explains that it lets threat actors use EMV cryptograms to do “GHOST transactions” with credit cards protected by CHIP and PIN technology.

The infection starts when a spear phishing email pretending to be from a technician from a PoS vendor says that the company needs to update its PoS software. Next, the fake technician goes to the target’s location and installs a malicious upgrade on the PoS terminals. The attackers could also tell the victim to install the AnyDesk remote access tool on their computer and then use it to replace the PoS firmware with a version that has been tampered with.

After the machine is infected, the operators will check to see if the target does enough financial transactions to be worth their time.

The new version of Prilex has a backdoor for communication. The backdoor can do many different things, like open files, run commands, end processes, change the registry, and record the screen. Once the information is encrypted and saved locally on the infected computer, the malware sends periodic requests to the control server.

Kaspersky concluded that the Prilex group knows a lot about how credit and debit card transactions work and how software used for payment processing works. This knowledge allows attackers to keep updating their tools until they find a way to get around the authorization policies and carry out their attacks.

Modern Security Solutions For Evolving Ransomware Attacks

Based on a recent survey conducted by the folks at Titaniam, a solid majority of organizations have robust security tools in place. Yet nearly 40 percent of them have fallen victim to a ransomware attack in the past year.

How can this be?  With conventional tools in place, how can this still be happening?

The answer to that question is complex. Ransomware attacks ultimately have three different phases.  Each phase must be protected against and in each case, the type of protection needed varies.  Let’s start by taking a closer look at the anatomy of a typical ransomware attack. They always begin the same way: Infiltration.

To do anything to your company’s network, the hackers first must gain access to your network.  Thus, your first line of defense is to keep that from happening.

The good news is that most companies have robust tools that are specifically designed to block unauthorized intruders.  The bad news is that hackers can get around those tools entirely by stealing an employee’s login credentials. That is how many of these types of attacks occur. Once inside, the hackers proceed with data exfiltration.  Wholesale copying sensitive data and uploading it to a command-and-control server operated by the hackers.

From the perspective of the hackers, this is where the payday is.  They know all too well that companies will pay handsomely to keep proprietary data from being leaked to the broader public, and hackers are only too happy to take full advantage of that fact.

This is where many companies are weak.  To protect against data exfiltration, companies need to invest in three different types of encryptions.  Encryption at rest, encryption in transit, and encryption in use. Most companies invest in one.  A solid minority invest in two, but very few invest in all three. That creates a window of opportunity for the attacker.

Finally, the third stage is wholesale file locking. This is exactly like what you think it is.  All the files that the malicious code can get to will be locked and encrypted.  If you want them back, you must pay.  Assuming you don’t have a recent backup, of course. Even if you do have a backup, you’ll pay in the form of downtime while you’re restoring those files.

Understanding exactly how a ransomware attack is put together and how it functions is key to designing a security routine that will defeat it, preventing the attackers from ever gaining a foothold on your network.

DuckDuckGo Email Privacy Service Beta Released

DuckDuckGo has a reputation for protecting the privacy of its users far more than most other companies.  Last year, the tiny search engine announced that they were experimenting with a free service designed to dodge email trackers as a means of further protecting the privacy of its users.

The company’s Email Protection service works by stripping email trackers from messages.

Initially, DuckDuckGo’s Email Protection service was available via a waitlist only.  You had to sign up.  If/when a spot opened for you, you could test it out.  During this waitlist testing period, the company reports that it found trackers in some 85 percent of incoming messages.

Now, DuckDuckGo’s Email Protection service has moved to Open Beta, so literally anyone can get a email address. Per the company, you can create as many private email addresses as you like and they will be accessible from your desktop, iOS or Android devices.

Not only does the service promise to strip out unwanted email trackers, but it will also give you a report detailing exactly what trackers it found in your messages. It includes a new Link Tracking feature that helps prevent tracking across email links.

If that wasn’t enough, the service also includes Smart Encryption, which upgrades unencrypted HTTP links in emails to their secure HTTPS counterparts whenever possible. You can reply to messages with a email address in lieu of whatever address you normally use.

To make use of the service, you’ll need to install the DuckDuckGo Privacy Browser for iOS or Android.  Once installed, simply go to the Email Protection section of the Settings menu to try it out.

If you’re planning to use it on your desktop PC, you’ll need the DuckDuckGo Privacy Essentials extensions depending on the browser you use. It is available for Chrome, Edge, Brave, Firefox or the DuckDuckGo Mac browser.  Once you’ve got the extension installed, just pay a visit to the email section of the company’s website.