BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts
Introduction
In November 2023, the Yarix Cyber Threat Intelligence team (YCTI) intercepted a set of suspicious phishing emails addressed to digital marketing agencies that were impersonating different famous fashion brands. Through the analysis of these emails, we uncovered the activities of a Vietnamese cybercriminal group distributing a malicious python-based infostealer, tracked as BlueDuck, aimed to collect sensitive information from infected hosts (e.g., browser-saved password, cookies, credit cards) and specifically designed to steal Meta business accounts.
In this blog post we will present and discuss BlueDuck as well as the modus operandi of the Vietnamese cybercriminal group linked to the tracked campaigns, providing insights on their operations and Tactics, Techniques and Procedures (TTPs).
Another Vietnamese scam group?
During the investigation, after collecting enough evidence to attribute the malicious activities to a Vietnamese threat group, we researched publicly available reports to correlate the campaign under analysis to other known activity clusters. The research identified some references about the stealer under analysis [1][2] as well as numerous instances of Vietnamese actors distributing information stealers, such as NodeStealer 2.0[3] and Ducktail[4], specifically targeting Facebook Business accounts, suggesting an interest in compromising social media platform’s business data by Vietnamese cybercrime. This trend is attributable to the Advertising-as-a-Service (AdaaS) cybercriminal model, which was well described in WithSecure’s DuckTail report and can be summarized in the following key steps:
- The threat actor running the AdaaS business targets and steals Social Media Business Accounts of high-value organizations (e.g., digital marketing agencies);
- A threat actor buys the AdaaS service to host malicious advertisements on social media platforms and distributes malware, phishing websites or perform other fraudulent activities (e.g., Win$ton[5], a Russian-speaking scam group tracked by Yarix Cyber Threat Intelligence team);
While BlueDuck team shares a common objective with the other Vietnamese threat actors and demonstrates some overlap in TTPs, they exhibits distinct methodologies that, to the best of our knowledge, have not been previously observed or reported in similar groups.
Kill Chain Stages
The primary goal of the threat actor is to acquire valuable Meta Business accounts for subsequent resale and distribution through their AdaaS. The analysis of the malicious campaigns suggests that the group prioritizes targeting Digital Marketing Agencies, as it is highly likely that such companies have access to Meta Business accounts.
Through monitoring of the BlueDuck group and analysis of their digital traces, we gained a comprehensive understanding of their operational methods exposing well-known emerging cybercriminal tactics. Notably, they harness the power of Artificial Intelligence, specifically Large Language Models (LLMs) solutions, to identify potential victims and generate believable phishing content.
Reconnaissance
We have evidence that the Vietnamese scam group leverages ChatGPT to identify victims and impersonate legitimate fashion brands. This activity is complemented by open-source intelligence (OSINT) gathering, where they harvest email addresses, marketing agency contact forms, LinkedIn and other freelance platforms (e.g., Fiverr, Upwork) profiles to further their schemes.
Weaponization
Having identified the target brands and victims, the attackers craft a malicious .scr document disguised as a collaboration offer presentation; this file embeds both BlueDuck infostealer and a full Python environment. The malicious file is then compressed alongside generic brand-related images into a password protected ZIP archive. Finally, the archive is uploaded to file sharing platforms such as Google Drive, Dropbox, and OneDrive.
In preparation for the attack, the actors establish a network of fraudulent domains resembling the impersonated brands. These domains will be used in the delivery phase to launch phishing campaigns and further legitimize their deceptive emails.
In addition, leveraging LLMs, the attackers craft convincing phishing content that mimics legitimate collaboration offers from well-known fashion brands. We are also aware that, in a limited set of intercepted campaigns, the attackers are impersonating legitimate companies to accuse targeted digital marketing firms of copyright infringement.
Delivery
The threat actors engage the victims by exploiting various channels: targeting “contact us” forms on digital agency websites, via email, or via direct interaction on LinkedIn, Fiverr or Upwork.
Installation and Execution
Once the compressed archive is extracted and the victim opens the apparently harmless .scr file, at first glance it will appear as a benign document, but in the background it will drop a complete Python environment along with the BlueDuck stealer disguised as an image with a jpeg extension, finally executing it.
To further establish a foothold on the compromised system, the malware adds a persistence mechanism by modifying the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run“ Windows registry key; allowing the BlueDuck’s automatic execution at system startup.
Actions on Objectives
The objective of the compromise is the exfiltration of sensitive data from the infected host, this includes session cookies, browser-saved password, and credit cards. The stolen information is then sent to a private Telegram group controlled by the BlueDuck group, where they specifically search for valid Meta Business accounts credentials.
Technical analysis
Based on our telemetry data, we have evidence that BlueDuck’s infostealer malware has been updated at least 3 times. Originally developed in .NET, the group switched to Python around August 2023. In later versions of the malware, BlueDuck used AES encryption to obfuscate the payload, using static decryption keys to dynamically generate and execute the code. This process was likely designed to hinder static analysis and reduce the visibility of sensitive information in the source code.
Most versions of the malware weaponize .scr files to drop and execute the infostealer payload. These files exploit an artificially inflated file size to avoid detection by security tools.
Although the .NET version of the malware wasn’t too similar to other Vietnamese infostealers analyzed by other researchers, we cannot exclude that BlueDuck could be a spinoff or an evolution of a previously tracked Vietnamese group.
During dynamic analysis, it was found that the malware created a temporary directory named “BlueSoft” in the Appdata/Local directory. This naming convention aligns with the group’s tactics, likely chosen to blend in with legitimate software directories while conducting malicious operations. The name “BlueDuck” comes from the name of this folder (and one of the colors of the python logo) and the word “duck”, a common suffix for the names of other Vietnamese groups with similar TTPs.
The malware targets user data stored within the following web browsers: Firefox, Chrome, Brave, Edge, Chromium, Opera, and CocCoc. It is worth noting that CocCoc is a Vietnamese browser not commonly used in the West (we definitely did not know of its existence), which suggests that the threat group may be from Vietnam. This hypothesis is supported by the comments in the python source code, mainly written in Vietnamese, and by a feature that specifically disables persistence and infection of hosts geolocated in Vietnam.
After successfully retrieving the browser data, the malware compresses the stolen credentials and cookie data into a zip file and then sends it to a Telegram channel using a Telegram bot. Our analysis allowed us to identify two Telegram bots named “cham_bat_6” and “cham_bat_4”. The naming convention suggests the presence of at least 4 other bots, likely used in other campaigns of by different teams of the same group.
After extracting the browser data, the malware focuses on Meta Ads Manager credentials. These credentials receive an additional enrichment, by querying Facebook Graph APIs to obtain the available business manager accounts (BM), balance and budget for advertisement campaigns. This information is then categorized as “TKQC” (i.e., Tài Khoản Quảng Cáo, trad: Advertising Account) within the code and is saved separately in a .txt file before transmission to the Telegram channels.
The information stored in the TKQC.txt file is structured as follow:
- Information regarding the Business Manager accounts:
ID: {account_id} | NAME: {account_name} | ROLE: {list_of_permitted_roles[]} STATUS: {account_verification_status]} IS_PROTECTED: {is_protected}
- Information regarding the managed Ads:
ID: {ad_id} | Tên: {ad_name} | Ngưỡng: {ad_billing_threshold_cycle} | LIMIT: {ad_daily_limit} | Chi Tiêu: {amount_spent} | Status: {ad_status} | Tiền tệ: {ad_currency} | PTTT: {payment_methods}
Victimology
During our investigation, we managed to reconstruct a timeline that shows the duration of the various campaigns carried on by the group. Notably, the brands impersonated by the group predominantly operate within the fashion industry, with the majority being situated in Europe.
The following graph shows the evolution of the campaigns, spanning from June 2023 to March 2024:
We have evidence that the group is subdivided in more than one team, and we have evidence of other brands being impersonated, but we cannot definitively provide a timeline for these other brands. Below is a list of the additional brands that have likely been targeted, with an approximate timeline:
- Cole Haan – 24/10/2023 to 09/11/2023
- Sergio Rossi – 09/11/2023 to 25/11/2023
- Coccinelle – 04/12/2023 to 11/01/2024
- Stuart Weitzman – 20/02/2024 to 08/03/2024
Our telemetry indicates that the BlueDuck team has successfully compromised at least 700 hosts. Visibility on ongoing campaigns revealed that approximately half contained valid Facebook Business cookie sessions, this translates to the compromise of over 1500 Business Manager accounts managing a total of more than 2800 active advertising campaigns. Notably, a majority of these compromised accounts possess pre-saved payment methods.
The following graphs shows the victim distribution between the campaigns that we have data for, and the timeline of the infections:
Conclusions
Nowadays, the advertisement ecosystem that revolves around social media platforms is a key value for all companies that want to increase public people engagement and grow their market; platforms such as Facebook and Instagram are perfect places to sponsor products thus reaching a target audience.
The same tactic of promoting content on social media is leveraged by cybercriminals that want to gain profit inducing people to submit credit cards details or sensitive information on phishing websites, as well as distributing malware. However, the threat actors need legit business accounts to reach the largest possible amount of people and to further legitimize the malicious ads; this need has led to the Advertisement-as-a-Service business (AdaaS).
BlueDuck is just one of the many malwares distributed by threat actors who manage AdaaS businesses, which are apparently of great interest to Vietnamese scammers, with their goal of compromising and reselling Meta Business accounts.
Digital marketing agencies, and all industries involved, must understand the risk posed by this threat and secure their social accounts, as well as implement reliable security solution and increase general cybersecurity awareness to minimize the risk of infection by interrupting the kill chain at the early stages (e.g., by not executing files distributed via password protected archives).
MITRE ATT&CK
| TACTIC | TECHNIQUE ID | TECHNIQUE |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| T1589.003 | Gather Victim Identity Information: Employee Names | |
| T1593.001 | Search Open Websites/Domains: Social Media | |
| T1594 | Search Victim-Owned Websites | |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| T1587.001 | Develop Capabilities: Malware | |
| T1608.001 | Stage Capabilities: Upload Malware | |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| T1566.002 | Phishing: Spearphishing Link | |
| T1566.003 | Phishing: Spearphishing via Service | |
| Execution | T1059.006 | Command and Scripting Interpreter: Python |
| T1204.002 | User Execution: Malicious File | |
| T1204.001 | User Execution: Malicious Link | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Defense Evasion | T1036.008 | Masquerading: Masquerade File Type |
| T1027.009 | Obfuscated Files or Information: Embedded Payloads | |
| T1027.002 | Obfuscated Files or Information: Software Packing | |
| Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
| T1539 | Steal Web Session Cookie | |
| Discovery | T1033 | System Owner/User Discovery |
| Collection | T1113 | Screen Capture |
| Exfiltration | T1020 | Automated Exfiltration |
| T1567 | Exfiltration Over Web Service |
IOC
Files:
| 9881cb799e75c511f140f45881e83c3e3b420e35d93a18aff5b4f179a4d9c283 | Malicious .scr document acting as dropper |
| 844bf98e02d36e9f2555cffc365a800a4410e3e63b72546602b4b32835fce1e3 | Malicious .scr document acting as dropper |
| 3b992218941877fed2cc11b7c588f4f9a39b3b17eaeeae3320a70b995e24be3f | Malicious .scr document acting as dropper |
| d512fd3f987d174c89f644479cf618bf232083bcdf93ae930cbbecb92fa0ff6e | Malicious .scr document acting as dropper, .NET version |
| 9e23c082fde2e3e01c57f2c22427aa72c2dcd7721870122aa410eb0ef20df4e1 | BlueDuck stealer |
| c0f6900e6c23cd97133fa7840bf550e37fb6d33af149f8570acf871b57009c3c | BlueDuck stealer |
| 7cf3dd075139c698a76db041df607332f547d47c17c2459b610890015c173ca5 | BlueDuck stealer |
| a39906f0eb186cc34884cb77301fc9af16e16ac31fad6b707c10ac1a39c718b5 | BlueDuck encoded stealer |
| b7f087fdbde690db1e346bd6f37707396ca25ca3572030fe2bbe7cf215ca7c11 | BlueDuck encoded stealer |
Domains:
- aloyogafashion[.]com
- aloyogaclothings[.]com
- aloyogaglobal[.]com
- ikksfrance[.]com
- ikksglobal[.]com
- ikksllc[.]com
- ikksfr[.]com
- ikksinc[.]com
- ballyllc[.]com
- ballych[.]com
- pinkoitaly[.]com
- pinko-bag[.]com
- pinkohandbags[.]com
- pinkobag[.]net
- it-pinko[.]com
- pinkoglobal[.]com
- it-pinkobag[.]com
- carreraworlds[.]com
- us-carreraworld[.]com
- carreraglasses[.]com
- furla-it[.]com
- it-furla[.]com
- tamarisshoe[.]com
- mansugavriel[.]com
- mansurgavrielglobal[.]com
- mansurgavriels[.]com
Phone numbers:
- +1 8679 880692
- +44 7701 412889
- +44 7401 169246
- +1 236 3011347
- +44 7380 319122
- +44 7588 681331
- +1 4242 436660
- +1 2135 369121
References
[1] https://isc.sans.edu/diary/Facebook+AdsManager+Targeted+by+a+Python+Infostealer/30590/
[2] https://www.linkedin.com/posts/ranlocar_introducing-phosteal-a-new-vietnamese-stealer-activity-7122212928040148992-l-SH
[3] https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/
[4] https://www.withsecure.com/en/expertise/research-and-innovation/research/ducktail-an-infostealer-malware
[5] https://labs.yarix.com/2023/06/winton-a-russian-speaking-scam-group-targeting-middle-eastern-customers/
Authors
Giovanni Barbieri is a member of the Yarix Cyber Threat Intelligence Team. He has a master degree in computer engineering and, in addition to research and threat intelligence activities, he enjoys making some noise with his electric guitar and travelling.
Marco Dello Iacovo is a member of the Yarix Cyber Threat Intelligence Team. He has a bachelors degree in computer science, a cool cat and a buch of climbing equipment that rarely gets used. He sometimes enjoys being really bad at CTFs. Also known as Chef.
