Reading Time: 10 minutes

Introduction

In November 2023, the Yarix Cyber Threat Intelligence team (YCTI) intercepted a set of suspicious phishing emails addressed to digital marketing agencies that were impersonating different famous fashion brands. Through the analysis of these emails, we uncovered the activities of a Vietnamese cybercriminal group distributing a malicious python-based infostealer, tracked as BlueDuck, aimed to collect sensitive information from infected hosts (e.g., browser-saved password, cookies, credit cards) and specifically designed to steal Meta business accounts.

In this blog post we will present and discuss BlueDuck as well as the modus operandi of the Vietnamese cybercriminal group linked to the tracked campaigns, providing insights on their operations and Tactics, Techniques and Procedures (TTPs).

Another Vietnamese scam group?

During the investigation, after collecting enough evidence to attribute the malicious activities to a Vietnamese threat group, we researched publicly available reports to correlate the campaign under analysis to other known activity clusters. The research identified some references about the stealer under analysis [1][2] as well as numerous instances of Vietnamese actors distributing information stealers, such as NodeStealer 2.0[3] and Ducktail[4], specifically targeting Facebook Business accounts, suggesting an interest in compromising social media platform’s business data by Vietnamese cybercrime. This trend is attributable to the Advertising-as-a-Service (AdaaS) cybercriminal model, which was well described in WithSecure’s DuckTail report and can be summarized in the following key steps:

• The threat actor running the AdaaS business targets and steals Social Media Business Accounts of high-value organizations (e.g., digital marketing agencies);
• A threat actor buys the AdaaS service to host malicious advertisements on social media platforms and distributes malware, phishing websites or perform other fraudulent activities (e.g., Win$ton[5], a Russian-speaking scam group tracked by Yarix Cyber Threat Intelligence team);

While BlueDuck team shares a common objective with the other Vietnamese threat actors and demonstrates some overlap in TTPs, they exhibits distinct methodologies that, to the best of our knowledge, have not been previously observed or reported in similar groups.

Kill Chain Stages

The primary goal of the threat actor is to acquire valuable Meta Business accounts for subsequent resale and distribution through their AdaaS. The analysis of the malicious campaigns suggests that the group prioritizes targeting Digital Marketing Agencies, as it is highly likely that such companies have access to Meta Business accounts.

Through monitoring of the BlueDuck group and analysis of their digital traces, we gained a comprehensive understanding of their operational methods exposing well-known emerging cybercriminal tactics. Notably, they harness the power of Artificial Intelligence, specifically Large Language Models (LLMs) solutions, to identify potential victims and generate believable phishing content.

Reconnaissance

We have evidence that the Vietnamese scam group leverages ChatGPT to identify victims and impersonate legitimate fashion brands. This activity is complemented by open-source intelligence (OSINT) gathering, where they harvest email addresses, marketing agency contact forms, LinkedIn and other freelance platforms (e.g., Fiverr, Upwork) profiles to further their schemes.

Weaponization

Having identified the target brands and victims, the attackers craft a malicious .scr document disguised as a collaboration offer presentation; this file embeds both BlueDuck infostealer and a full Python environment. The malicious file is then compressed alongside generic brand-related images into a password protected ZIP archive. Finally, the archive is uploaded to file sharing platforms such as Google Drive, Dropbox, and OneDrive.

In preparation for the attack, the actors establish a network of fraudulent domains resembling the impersonated brands. These domains will be used in the delivery phase to launch phishing campaigns and further legitimize their deceptive emails.

In addition, leveraging LLMs, the attackers craft convincing phishing content that mimics legitimate collaboration offers from well-known fashion brands. We are also aware that, in a limited set of intercepted campaigns, the attackers are impersonating legitimate companies to accuse targeted digital marketing firms of copyright infringement.

Delivery

The threat actors engage the victims by exploiting various channels: targeting “contact us” forms on digital agency websites, via email, or via direct interaction on LinkedIn, Fiverr or Upwork.

 

Installation and Execution

Once the compressed archive is extracted and the victim opens the apparently harmless .scr file, at first glance it will appear as a benign document, but in the background it will drop a complete Python environment along with the BlueDuck stealer disguised as an image with a jpeg extension, finally executing it.

To further establish a foothold on the compromised system, the malware adds a persistence mechanism by modifying the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run“ Windows registry key; allowing the BlueDuck’s automatic execution at system startup.

Actions on Objectives

The objective of the compromise is the exfiltration of sensitive data from the infected host, this includes session cookies, browser-saved password, and credit cards. The stolen information is then sent to a private Telegram group controlled by the BlueDuck group, where they specifically search for valid Meta Business accounts credentials.

Technical analysis

Based on our telemetry data, we have evidence that BlueDuck’s infostealer malware has been updated at least 3 times. Originally developed in .NET, the group switched to Python around August 2023. In later versions of the malware, BlueDuck used AES encryption to obfuscate the payload, using static decryption keys to dynamically generate and execute the code. This process was likely designed to hinder static analysis and reduce the visibility of sensitive information in the source code.

Most versions of the malware weaponize .scr files to drop and execute the infostealer payload. These files exploit an artificially inflated file size to avoid detection by security tools.

Although the .NET version of the malware wasn’t too similar to other Vietnamese infostealers analyzed by other researchers, we cannot exclude that BlueDuck could be a spinoff or an evolution of a previously tracked Vietnamese group.

During dynamic analysis, it was found that the malware created a temporary directory named “BlueSoft” in the Appdata/Local directory. This naming convention aligns with the group’s tactics, likely chosen to blend in with legitimate software directories while conducting malicious operations. The name “BlueDuck” comes from the name of this folder (and one of the colors of the python logo) and the word “duck”, a common suffix for the names of other Vietnamese groups with similar TTPs.

The malware targets user data stored within the following web browsers:  Firefox, Chrome, Brave, Edge, Chromium, Opera, and CocCoc. It is worth noting that CocCoc is a Vietnamese browser not commonly used in the West (we definitely did not know of its existence), which suggests that the threat group may be from Vietnam. This hypothesis is supported by the comments in the python source code, mainly written in Vietnamese, and by a feature that specifically disables persistence and infection of hosts geolocated in Vietnam.

After successfully retrieving the browser data, the malware compresses the stolen credentials and cookie data into a zip file and then sends it to a Telegram channel using a Telegram bot. Our analysis allowed us to identify two Telegram bots named “cham_bat_6” and “cham_bat_4”. The naming convention suggests the presence of at least 4 other bots, likely used in other campaigns of by different teams of the same group.

After extracting the browser data, the malware focuses on Meta Ads Manager credentials. These credentials receive an additional enrichment, by querying Facebook Graph APIs to obtain the available business manager accounts (BM), balance and budget for advertisement campaigns. This information is then categorized as “TKQC” (i.e., Tài Khoản Quảng Cáo, trad: Advertising Account) within the code and is saved separately in a .txt file before transmission to the Telegram channels.

The information stored in the TKQC.txt file is structured as follow:

• Information regarding the Business Manager accounts:

ID: {account_id} | NAME: {account_name} | ROLE: {list_of_permitted_roles[]} STATUS: {account_verification_status]} IS_PROTECTED: {is_protected}

• Information regarding the managed Ads:

ID: {ad_id} | Tên: {ad_name} | Ngưỡng: {ad_billing_threshold_cycle} | LIMIT: {ad_daily_limit} | Chi Tiêu: {amount_spent} | Status: {ad_status} | Tiền tệ: {ad_currency} | PTTT: {payment_methods}

Victimology

During our investigation, we managed to reconstruct a timeline that shows the duration of the various campaigns carried on by the group. Notably, the brands impersonated by the group predominantly operate within the fashion industry, with the majority being situated in Europe.

The following graph shows the evolution of the campaigns, spanning from June 2023 to March 2024:

We have evidence that the group is subdivided in more than one team, and we have evidence of other brands being impersonated, but we cannot definitively provide a timeline for these other brands. Below is a list of the additional brands that have likely been targeted, with an approximate timeline:

• Cole Haan – 24/10/2023 to 09/11/2023
• Sergio Rossi – 09/11/2023 to 25/11/2023
• Coccinelle – 04/12/2023 to 11/01/2024
• Stuart Weitzman – 20/02/2024 to 08/03/2024

Our telemetry indicates that the BlueDuck team has successfully compromised at least 700 hosts. Visibility on ongoing campaigns revealed that approximately half contained valid Facebook Business cookie sessions, this translates to the compromise of over 1500 Business Manager accounts managing a total of more than 2800 active advertising campaigns. Notably, a majority of these compromised accounts possess pre-saved payment methods.

The following graphs shows the victim distribution between the campaigns that we have data for, and the timeline of the infections:

Conclusions

Nowadays, the advertisement ecosystem that revolves around social media platforms is a key value for all companies that want to increase public people engagement and grow their market; platforms such as Facebook and Instagram are perfect places to sponsor products thus reaching a target audience.

The same tactic of promoting content on social media is leveraged by cybercriminals that want to gain profit inducing people to submit credit cards details or sensitive information on phishing websites, as well as distributing malware. However, the threat actors need legit business accounts to reach the largest possible amount of people and to further legitimize the malicious ads; this need has led to the Advertisement-as-a-Service business (AdaaS).

BlueDuck is just one of the many malwares distributed by threat actors who manage AdaaS businesses, which are apparently of great interest to Vietnamese scammers, with their goal of compromising and reselling Meta Business accounts.

Digital marketing agencies, and all industries involved, must understand the risk posed by this threat and secure their social accounts, as well as implement reliable security solution and increase general cybersecurity awareness to minimize the risk of infection by interrupting the kill chain at the early stages (e.g., by not executing files distributed via password protected archives).

MITRE ATT&CK

TACTIC	TECHNIQUE ID	TECHNIQUE
Reconnaissance	T1589.002	Gather Victim Identity Information: Email Addresses
	T1589.003	Gather Victim Identity Information: Employee Names
	T1593.001	Search Open Websites/Domains: Social Media
	T1594	Search Victim-Owned Websites
Resource Development	T1583.001	Acquire Infrastructure: Domains
	T1587.001	Develop Capabilities: Malware
	T1608.001	Stage Capabilities: Upload Malware
Initial Access	T1566.001	Phishing: Spearphishing Attachment
	T1566.002	Phishing: Spearphishing Link
	T1566.003	Phishing: Spearphishing via Service
Execution	T1059.006	Command and Scripting Interpreter: Python
	T1204.002	User Execution: Malicious File
	T1204.001	User Execution: Malicious Link
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion	T1036.008	Masquerading: Masquerade File Type
	T1027.009	Obfuscated Files or Information: Embedded Payloads
	T1027.002	Obfuscated Files or Information: Software Packing
Credential Access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers
	T1539	Steal Web Session Cookie
Discovery	T1033	System Owner/User Discovery
Collection	T1113	Screen Capture
Exfiltration	T1020	Automated Exfiltration
	T1567	Exfiltration Over Web Service

IOC

Files:

9881cb799e75c511f140f45881e83c3e3b420e35d93a18aff5b4f179a4d9c283	Malicious .scr document acting as dropper
844bf98e02d36e9f2555cffc365a800a4410e3e63b72546602b4b32835fce1e3	Malicious .scr document acting as dropper
3b992218941877fed2cc11b7c588f4f9a39b3b17eaeeae3320a70b995e24be3f	Malicious .scr document acting as dropper
d512fd3f987d174c89f644479cf618bf232083bcdf93ae930cbbecb92fa0ff6e	Malicious .scr document acting as dropper, .NET version
9e23c082fde2e3e01c57f2c22427aa72c2dcd7721870122aa410eb0ef20df4e1	BlueDuck stealer
c0f6900e6c23cd97133fa7840bf550e37fb6d33af149f8570acf871b57009c3c	BlueDuck stealer
7cf3dd075139c698a76db041df607332f547d47c17c2459b610890015c173ca5	BlueDuck stealer
a39906f0eb186cc34884cb77301fc9af16e16ac31fad6b707c10ac1a39c718b5	BlueDuck encoded stealer
b7f087fdbde690db1e346bd6f37707396ca25ca3572030fe2bbe7cf215ca7c11	BlueDuck encoded stealer

Domains:

• aloyogafashion[.]com
• aloyogaclothings[.]com
• aloyogaglobal[.]com
• ikksfrance[.]com
• ikksglobal[.]com
• ikksllc[.]com
• ikksfr[.]com
• ikksinc[.]com
• ballyllc[.]com
• ballych[.]com
• pinkoitaly[.]com
• pinko-bag[.]com
• pinkohandbags[.]com
• pinkobag[.]net
• it-pinko[.]com
• pinkoglobal[.]com
• it-pinkobag[.]com
• carreraworlds[.]com
• us-carreraworld[.]com
• carreraglasses[.]com
• furla-it[.]com
• it-furla[.]com
• tamarisshoe[.]com
• mansugavriel[.]com
• mansurgavrielglobal[.]com
• mansurgavriels[.]com

Phone numbers:

• +1 8679 880692
• +44 7701 412889
• +44 7401 169246
• +1 236 3011347
• +44 7380 319122
• +44 7588 681331
• +1 4242 436660
• +1 2135 369121

References

[1] https://isc.sans.edu/diary/Facebook+AdsManager+Targeted+by+a+Python+Infostealer/30590/

[2] https://www.linkedin.com/posts/ranlocar_introducing-phosteal-a-new-vietnamese-stealer-activity-7122212928040148992-l-SH

[3] https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/

[4] https://www.withsecure.com/en/expertise/research-and-innovation/research/ducktail-an-infostealer-malware

[5] https://labs.yarix.com/2023/06/winton-a-russian-speaking-scam-group-targeting-middle-eastern-customers/

 

Authors

Giovanni Barbieri is a member of the Yarix Cyber Threat Intelligence Team. He has a master degree in computer engineering and, in addition to research and threat intelligence activities, he enjoys making some noise with his electric guitar and travelling.

Marco Dello Iacovo is a member of the Yarix Cyber Threat Intelligence Team. He has a bachelors degree in computer science, a cool cat and a buch of climbing equipment that rarely gets used. He sometimes enjoys being really bad at CTFs. Also known as Chef.