SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ducktail (Back to overview)

DUCKTAIL


According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.

References
2023-11-01AppGateFelipe Tarijon
@online{tarijon:20231101:vietnamese:0cdc68a, author = {Felipe Tarijon}, title = {{Vietnamese Information Stealer Campaigns Target Professionals on LinkedIn}}, date = {2023-11-01}, organization = {AppGate}, url = {https://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin}, language = {English}, urldate = {2023-11-13} } Vietnamese Information Stealer Campaigns Target Professionals on LinkedIn
DUCKTAIL
2023-08-30ZscalerSudeep Singh, Naveen Selvan
@online{singh:20230830:look:53e0f61, author = {Sudeep Singh and Naveen Selvan}, title = {{A Look Into DuckTail}}, date = {2023-08-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/look-ducktail}, language = {English}, urldate = {2023-11-28} } A Look Into DuckTail
DUCKTAIL
2023-05-09TrendmicroKhristian Joseph Morales, Gilbert Sison
@online{morales:20230509:managed:63d09f1, author = {Khristian Joseph Morales and Gilbert Sison}, title = {{Managed XDR Investigation of Ducktail in Trend Micro Vision One}}, date = {2023-05-09}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html}, language = {English}, urldate = {2023-05-11} } Managed XDR Investigation of Ducktail in Trend Micro Vision One
DUCKTAIL
2023-03-29YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20230329:ducktail:2358e56, author = {Luigi Martire and Carmelo Ragusa}, title = {{DuckTail: Dissecting a complex infection chain started from social engineering}}, date = {2023-03-29}, organization = {Yoroi}, url = {https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/}, language = {English}, urldate = {2023-04-18} } DuckTail: Dissecting a complex infection chain started from social engineering
DUCKTAIL
2023-03-09DeepInstinctSimon Kenin
@online{kenin:20230309:ducktail:1f4fcc3, author = {Simon Kenin}, title = {{DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection}}, date = {2023-03-09}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection}, language = {English}, urldate = {2023-03-24} } DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection
DUCKTAIL
2022-08-07forensicitguyTony Lambert
@online{lambert:20220807:analyzing:9e98830, author = {Tony Lambert}, title = {{Analyzing .NET Core Single File Samples (DUCKTAIL Case Study)}}, date = {2022-08-07}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/}, language = {English}, urldate = {2022-08-09} } Analyzing .NET Core Single File Samples (DUCKTAIL Case Study)
DUCKTAIL
2022-07-26WithSecureMohammad Kazem Hassan Nejad
@techreport{nejad:20220726:ducktail:04c6c82, author = {Mohammad Kazem Hassan Nejad}, title = {{DUCKTAIL: An infostealer malware targeting Facebook Business accounts}}, date = {2022-07-26}, institution = {WithSecure}, url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf}, language = {English}, urldate = {2023-11-14} } DUCKTAIL: An infostealer malware targeting Facebook Business accounts
DUCKTAIL
Yara Rules
[TLP:WHITE] win_ducktail_w0 (20230626 | Detects binaries signed with compromised certificates used by DuckTail stealer - identified in June 2023)
rule win_ducktail_w0 {
   meta:
      author = "dr4k0nia"
      description = "Detects binaries signed with compromised certificates used by DuckTail stealer - identified in June 2023"
      reference = "Internal Research"
      date = "2023-06-16"
      hash1 = "17c75f2d14af9f00822fc1dba00ccc9ec71fc50962e196d7e6f193f4b2ee0183"
      hash2 = "b3cfdb442772d07a7f037b0bb093ba315dfd1e79b0e292736c52097355495270"
      hash3 = "9afe013cae0167993a6a7ccd650eb1221a5ec163110565eb3a49a8b57949d4ee"
      score = 80
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail"
      malpedia_version = "20230626"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:GREEN"
   strings:
      $sx1 = "AZM MARKETING COMPANY LIMITED" ascii fullword
      $sx2 = "CONG TY TNHH" ascii
      $sx3 = {43 C3 94 4E 47 20 54 59 20 54 4E 48 48 20}
      $sx4 = "CONG TY TRACH" ascii
      $se1 = {65 78 BE 85 2D 48 E3 3D 4E 48 B8 D4 73 F5 B7 60} // AZM MARKETING COMPANY LIMITED
      $se2 = {1D 53 38 32 74 2B 58 37 87 C0 A2 53 32 F7 FB 06} // AZM MARKETING COMPANY LIMITED
      $se3 = {00 BD 7B 85 B2 6A 69 C9 7D 6D 68 CC 95 67 34 C0 6B} // CONG TY TNHH PDF SOFTWARE
      $se4 = {06 5F 5C 57 0B D6 A7 98 92 FB B0 E6 34 61 3A 4D}
      $se5 = {41 55 3F 07 13 37 11 7A 99 B4 58 57} // CONG TY TNHH CAO SU MINH KHANG
      $se6 = {1E AA E4 CE E7 EE 89 FB 20 32 59 27 88 13 D8 53} // CONG TY TNHH MTV SAN VUON THAI VUONG
      $se7 = {56 DC DB 85 D4 89 F9 87 B2 D6 76 72} // CONG TY TNHH THUONG MAI VA XAY DUNG PHUC NGUYEN
      $se8 = {2D A4 50 57 C2 74 3C 1A 3C A4 93 7A} // CONG TY TNHH DICH VU CAU CHU NHO
      $se9 = {37 AE 95 F5 4C 8E 9B D0 B6 47 68 6A} // CÔNG TY TNHH THIẾT KẾ VÀ XÂY DỰNG SÂN VƯỜN NON BỘ SƠN HẢI
      $se10 = {3D C8 F5 3B 62 7A 34 07 AC 7E 01 00 13 87 A3 B3} // CÔNG TY TNHH GIẢ I PHÁ P CÔNG NGHỆ SỐ VIỆT
      $se11 = {01 C9 87 5A 5F A8 59 68 6D 34 17 C9} // CONG TY TRACH NHIEM HUU HAN THIET BI NOI THAT TAKASY
   condition:
      uint16(0) == 0x5a4d
      and 1 of ($sx*) and 1 of ($se*)
}
Download all Yara Rules