Beware of LinkedIn: Ducktail Malware’s Sneaky ZIP Attack Revealed

In December 2023, the cybersecurity community was alerted to a new form of cyber threat – the Ducktail malware. This incident, detected by the eSentire Threat Response Unit (TRU), targeted a digital marketing professional, revealing the sophisticated mechanisms of this malware and underscoring the vulnerabilities in professional networks.

Ducktail began its infiltration through a seemingly innocuous channel – LinkedIn. The attackers sent a private message to the target containing a ZIP archive. This method of delivery highlights a new frontier in cyber attacks, exploiting professional networks and platforms for malware distribution. The use of LinkedIn, a platform known for its professional credibility, marks a concerning trend in how attackers are evolving their strategies to breach defenses.

Project information records and working contracts.lnk contents | Image: TRU

The archive contained bloated shortcuts, over 800MB in size, with batch scripts executing PowerShell commands. These shortcuts were the initial step in a complex attack chain. Upon decoding, these scripts led to the download of additional PowerShell scripts from suspicious URLs. These scripts had two primary functions: to bypass User Account Control (UAC) settings and to execute administrative privileges based on the system’s UAC status.

The Ducktail malware showcased a meticulous approach to evading detection. It checked the system’s UAC settings from the registry and employed techniques to bypass UAC. If UAC was disabled, it downloaded and executed a file with administrative privileges. If UAC was enabled, it used fodhelper.exe, a known method for bypassing UAC on Windows, to overwrite legitimate system files with malicious ones.

The culmination of this attack involved the downloading and execution of two core payloads – ‘mainbot.exe’ and ‘myRdpService.exe’. These .NET payloads, compiled using native Ahead-Of-Time (AOT) compilation, made the analysis process more complicated. The payloads were responsible for establishing a connection with the command-and-control server, executing remote commands, and potentially exfiltrating data. This functionality highlights the risk of sensitive information theft and the need for robust network monitoring and data loss prevention strategies.

The Ducktail malware incident teaches us several critical lessons:

• Professional networks are not immune to cyber threats. The creativity of attackers in exploiting these platforms calls for heightened caution when interacting with unsolicited messages and attachments.
• The creation of scheduled tasks and services along with techniques to bypass UAC indicates a focus on avoiding detection and maintaining persistence on infected systems.
• The ability to query Windows Management Instrumentation for active antivirus products and add exclusion paths to Windows Defender reveals an intent to circumvent standard security defenses.