The Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles

By Cluster25 Threat Intel Team
October 25, 2023

Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft attacks. In this campaign, compromised LinkedIn accounts are utilized to send messages to users with the aim of compromising their accounts by illicitly procuring their cookies, session data, and browser credentials.

The malware employed in these attacks has been positively identified as a member of the DuckTail family. This malware variant also possesses an automated functionality, enabling it to execute Facebook Business hijacking attacks, thereby providing the attackers with access to the email associated with any potential Facebook Business account owned by the victim.

The observed attacks have targeted professionals belonging to various Italian companies, especially in the technology sector. The attackers have shown a preference for focusing on personnel from the sales and finance departments of the targeted companies.


The campaign is executed through compromised LinkedIn accounts to distribute PDF documents disguised as job offers.


Once the initial contact with the victim has been established, the compromised account proceeds to send a subsequent message. This message includes the attached PDF document that contains the details of the job offer.

In the case under analysis, the fraudulent job posting pertained to a Senior Manager position at Electronic Arts (EA) company.

The PDF document contains two hyperlinks. The initial hyperlink leads to the legit Electronic Arts recruiting website.


The second one is a malicious URL that initiates the download of a ZIP archive named from the Microsoft OneDrive cloud storage platform:

DROP-POINT URL[.]com/download?resid=7531E499827B967F%21163&authkey=!AO41K9-bCwOPW64

The ZIP archive comprises three MP4 video files and two identical executables, disguised as Microsoft Word documents by incorporating the Word icon.

The executables employed for the purpose of infection are identical 64-bit PE files, exhibiting a substantial size of 67.3 megabytes and containing the distinctive decryption string AHSDHAS092TEST. Furthermore, the metadata reveals a compilation timestamp of January 24th, 2023 at 05:31:29 UTC.

Evidently, this file appears to have been compiled using Microsoft Visual Studio, albeit it encompasses additional PE headers. Notably, one of these headers pertains to a Microsoft .NET executable, protected by the commercial obfuscator Smart Assembly.

The malicious file is, indeed, constructed within the .NET Core framework and compiled utilizing the single-file feature, which consolidates all dependent libraries and files into a unified executable. This utilization of .NET Core and its single-file feature is atypical in the realm of malware and yields a highly elusive form of malicious software. At the moment of composing this report, only six out of seventy (6/70) antivirus engines on VirusTotal have identified the file as malicious, underscoring its ability to evade detection.

Consequently, the “single file” application is essentially a collection of binaries concatenated together, but the actual malicious code can be uncovered by delving into the executable dependencies, from which the malware’s primary DLL can be extracted.

The malicious DLL is a 64-bit PE file developed in Microsoft .NET and compiled on September 18th, 2023 at 01:20:39 UTC.

The primary function within the DLL initiates the creation of a mutex named ICollectVASD to guarantee the execution of only one instance of the malware. Subsequently, it proceeds to collect information about the victim, including the system’s GUID and the IP address, which are temporarily stored in a file located at the following path:


As a decoy, the malware generates a lure PDF document at the specified path, which is subsequently opened to display the expected job description to the user:


The communication with the Command and Control (C&C) server is executed through a Telegram Bot, utilizing the BOT ID 6263348871. The communication is secured via TLS encryption, with the initial message referred to as a “Start Signal”. This Start Signal involves sending an HTTP POST request to the attacker’s Telegram Bot, conveying the ChatID and a text message structured by combining the strings “REQ|”, the GUID of the compromised system, “READY|” and an associated counter.

The HTTP request is sent to the following URL, using the /sendMessage Telegram API:

Subsequent to the initial communication, the malware transfers the acquired data via ZIP archives enclosed within POST messages. These messages are dispatched using the /sendDocument API.


The C&C server details are retrieved from a configuration file stored within the binary’s resources, named “profile”. This file has a JSON structure with two entities denoted as “k” and “v”. The “k” object is a Base64-encoded AES-CBC key, utilized to decrypt the “v” object after decoding it from Base64. The encryption operations are executed using the external package Org.BouncyCastle.Crypto, which is also employed for encrypting the strings employed by the malware.


Upon successful decryption, the outcome is a new JSON file encompassing the parameters for communication with the C&C. This includes the Telegram Bot’s Token, the ChatID, and a list of email addresses.

The configuration comprises seven (7) distinct profiles, each featuring unique tokens, chatIDs, and email lists.

The malware retrieves data from the victim’s web browsers, which include Microsoft Edge, Google Chrome, Brave Browser, and Mozilla Firefox. The malware conducts scans on the target computer to identify the installed browsers by inspecting the registry keys located under HKLMSOFTWAREWOW6432NodeClientsStartMenuInternet. Subsequently, it proceeds to extract and exfiltrate all the stored cookies, session information, and saved credentials through Telegram, enabling the execution of identity theft attacks.

The malware persists as a background process, routinely issuing requests to the Telegram API and transmitting small increments of data to the attacker.

Additionally, the malware incorporates a Facebook Business hijacking functionality, which is coupled with the email addresses obtained from the configuration. The malware dispatches links to email addresses that are randomly selected from the list, enabling the attacker to potentially gain access to the associated Facebook Business Account.


To do that, initially the malware retrieves the victim’s business social accounts by interacting with the Facebook APIs and employing the session information extracted from the victim’s browsers. It subsequently shares a link that allows for the transfer of account access to the attacker’s email addresses.


Initial Access T1566.001 Phishing: Spearphishing Attachment
Initial Access T1566.002 Phishing: Spearphishing Link
Execution T1204.002 User Execution: Malicious File
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1036 Masquerading
  Defense Evasion   T1027.002   Obfuscated Files or Information: Software Packing
  Defense Evasion   T1564   Hide Artifacts
  Credential Access   T1606.001   Forge Web Credentials: Web Cookies
  Credential Access   T1539   Steal Web Session Cookie
  Discovery   T1082   System Information Discovery
  Discovery   T1217   Browser Information Discovery
  Discovery   T1518   Software Discovery
  Collection   T1560   Archive Collected Data
  Collection   T1185   Browser Session Hijacking
  Command and Control   T1071.001   Application Layer Protocol: Web Protocols
  Exfiltration   T1567   Exfiltration Over Web Service


  DROPPER SHA256 054822987c6597d7a916f6ea29333f20767c1f65e6b5f8edab1f328f3c749dc5
  LOADER SHA256 3097d80d4aa3abf2599058bf58d85aa8cec6ca6894c13c6d360dce162a5dd626
  PAYLOAD SHA256 91e53c5fbbb483784749644dc5b1a6e8b9d8efb6c15402ad65587d5684efada5
  C&C TELEGRAM BOT 6226987700:AAGN0mHWpjBmsxwUxZySIPltrsl9oS3qlqA
  C&C TELEGRAM BOT 6007603532:AAGh2i5yFQOE-3c6Z6AzWO2rvGUbj23Vs1I
  C&C TELEGRAM BOT 6221057536:AAEm5DcNIL2LY8t549Y4seL6acgz44ckbe4
  C&C TELEGRAM BOT 6043376230:AAElWPPBBL87vZMC4SV3ySrUjO7zry4U8ow
  C&C TELEGRAM BOT 6678149734:AAHoNuHj1Fui614TCXDAB7ftjk1NJBXt7X4
  C&C TELEGRAM BOT 6263348871:AAFc1F8GffaY0Bc8rWsvD2BzfK9yD-zrvRQ
  C&C TELEGRAM BOT 5541009548:AAE_arDNZnBbPhBuhuncO6p_bX7weZVNLt4

Piaciuto? Condividilo:

Scroll to Top