⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
This month’s top two threats are Impacket at number one and Mimikatz at number two. This is likely due to malicious use combined with unconfirmed testing activity in May, which results in a higher volume than other threats we don’t see used in testing. Qbot activity increased to claim spot number four while its known delivery affiliate, TA570, jumped back into the top 10 to tie at number five with SocGholish. Raspberry Robin fell from number two to seven, a drop that is due to the increased volume of other higher-ranked threats as opposed to a dramatic decrease in Raspberry Robin activity. Ducktail, a browser data stealer, is a newcomer to our top 10 list and landed in a three-way tie for spot number nine with Ippedo and NetSupport Manager.
Ducktail and cover
Ducktail is an information stealer observed in the wild since at least early 2021. Here at Red Canary we saw increased activity in May 2023, enough for Ducktail to make its first appearance in our top 10 this month. The adversaries behind Ducktail have multiple goals; one is to hijack access to LinkedIn or Facebook business accounts, and another is to steal sensitive information from victim systems. Accordingly, the malware includes design choices and capabilities to facilitate that goal.
Ducktail operators target victims that might have Facebook business account access. Researchers reported in May that many recent targeted victims worked in HR and marketing departments. The adversaries send malicious links to potential victims via social media and messaging applications like LinkedIn and WhatsApp. They use social engineering to trick victims into interacting with the malicious links that download and execute Ducktail malware from file-sharing platforms like Dropbox or iCloud. The initial executable filename is often a string of words relevant to the targeted victim. One example we’ve seen is
Calculate_Cumulative_Salary_Based_On_A_Monthly.exe. WithSecure shared another example:
new project l'oréal budget business plan.exe.
Once downloaded and executed, Ducktail is designed to steal browser cookies and browsing data from Brave, Edge, Chrome, and Firefox. It can also take screenshots of the victim system. Ducktail uses Telegram to send the stolen data and information back to the operators. If Ducktail finds active Facebook session cookies, it will search for and steal additional information related to the Facebook account. If the Facebook account is associated with a business, the adversaries will attempt to give themselves administrative access in order to hijack the account.
As always, security professionals should educate users to be wary of opening links or downloading files from unknown sources. Malicious links can be shared using social media and messaging applications, not only via the better-known avenue of phishing emails. One way Ducktail gains access to browser information and cookies is by opening the victim’s browser in
headless mode, meaning the browser runs in the background without a visible GUI. This parameter gives us a detection opportunity.
Detection opportunity: Chromium-based headless browsers being used to download files
The following pseudo-detection analytic looks for Chromium-based browsers opening with the headless parameter and subsequently downloading files from a remote location. While developers may use headless browsers to download files, it is an unusual way to do so. This analytic can help identify Ducktail as well as other suspicious activity.
process == (
command_line_includes == (