ioc[.]one - OSINT Cyber Threat Intelligence Database

BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Automated Exfiltration Boot Or Logon Autostart Execution Command And Scripting Interpreter Develop Capabilities Masquerading Obfuscated Files Or Information Stage Capabilities
country:	Russia Vietnam U.S. Virgin Islands
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Direct Model Models Search Victim-Owned Websites Acquire Infrastructure - T1583 Artificial Intelligence - T1588.007 Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Develop Capabilities - T1587 Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Embedded Payloads - T1027.009 Employee Names - T1589.003 Exfiltration Over Web Service - T1567 Gather Victim Identity Information - T1589 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerade File Type - T1036.008 Masquerading - T1655 Obfuscated Files Or Information - T1406 Phishing - T1660 Phishing - T1566 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Screen Capture - T1513 Search Open Websites/Domains - T1593 Search Victim-Owned Websites - T1594 Social Media - T1593.001 Software - T1592.002 Software Packing - T1027.002 Software Packing - T1406.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Spearphishing Via Service - T1566.003 Stage Capabilities - T1608 Steal Web Session Cookie - T1539 Upload Malware - T1608.001 Automated Exfiltration - T1020 Command-Line Interface - T1059 Masquerading - T1036 Obfuscated Files Or Information - T1027 Registry Run Keys / Start Folder - T1060 Screen Capture - T1113 Software Packing - T1045 Spearphishing Attachment - T1193 Spearphishing Link - T1192 Spearphishing Via Service - T1194 System Owner/User Discovery - T1033 User Execution - T1204 Masquerading Screen Capture Spearphishing Attachment User Execution

Show in Graph

Common Information

Type	Value
UUID	1fccc5af-068c-43ef-b4f8-2bb8bf4f83e2
Fingerprint	a430897ba2a98781
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 4, 2024, midnight
Added to db	Aug. 31, 2024, 6:37 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts
Title	BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts
Detected Hints/Tags/Attributes	141/4/67

Source URLs

	Redirection	Url
Details	Source	https://labs.yarix.com/2024/04/blueduck-another-infostealer-coveting-digital-marketing-agencies-facebook-business-accounts/

URL Provider

Details	Provider	Source level domain
Details	yarix.com	labs.yarix.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	152	✔	YLabs	https://labs.yarix.com/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	aloyogafashion.com
Details	Domain	1	aloyogaclothings.com
Details	Domain	1	aloyogaglobal.com
Details	Domain	1	ikksfrance.com
Details	Domain	1	ikksglobal.com
Details	Domain	1	ikksllc.com
Details	Domain	1	ikksfr.com
Details	Domain	1	ikksinc.com
Details	Domain	1	ballyllc.com
Details	Domain	1	ballych.com
Details	Domain	1	pinkoitaly.com
Details	Domain	1	pinko-bag.com
Details	Domain	1	pinkohandbags.com
Details	Domain	1	pinkobag.net
Details	Domain	1	it-pinko.com
Details	Domain	1	pinkoglobal.com
Details	Domain	1	it-pinkobag.com
Details	Domain	1	carreraworlds.com
Details	Domain	1	us-carreraworld.com
Details	Domain	1	carreraglasses.com
Details	Domain	1	furla-it.com
Details	Domain	1	it-furla.com
Details	Domain	1	tamarisshoe.com
Details	Domain	1	mansugavriel.com
Details	Domain	1	mansurgavrielglobal.com
Details	Domain	1	mansurgavriels.com
Details	Domain	425	isc.sans.edu
Details	Domain	224	unit42.paloaltonetworks.com
Details	File	1	tkqc.txt
Details	sha256	1	9881cb799e75c511f140f45881e83c3e3b420e35d93a18aff5b4f179a4d9c283
Details	sha256	1	844bf98e02d36e9f2555cffc365a800a4410e3e63b72546602b4b32835fce1e3
Details	sha256	1	3b992218941877fed2cc11b7c588f4f9a39b3b17eaeeae3320a70b995e24be3f
Details	sha256	1	d512fd3f987d174c89f644479cf618bf232083bcdf93ae930cbbecb92fa0ff6e
Details	sha256	1	9e23c082fde2e3e01c57f2c22427aa72c2dcd7721870122aa410eb0ef20df4e1
Details	sha256	1	c0f6900e6c23cd97133fa7840bf550e37fb6d33af149f8570acf871b57009c3c
Details	sha256	1	7cf3dd075139c698a76db041df607332f547d47c17c2459b610890015c173ca5
Details	sha256	1	a39906f0eb186cc34884cb77301fc9af16e16ac31fad6b707c10ac1a39c718b5
Details	sha256	1	b7f087fdbde690db1e346bd6f37707396ca25ca3572030fe2bbe7cf215ca7c11
Details	MITRE ATT&CK Techniques	22	T1589.002
Details	MITRE ATT&CK Techniques	6	T1589.003
Details	MITRE ATT&CK Techniques	6	T1593.001
Details	MITRE ATT&CK Techniques	14	T1594
Details	MITRE ATT&CK Techniques	82	T1583.001
Details	MITRE ATT&CK Techniques	96	T1587.001
Details	MITRE ATT&CK Techniques	49	T1608.001
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	22	T1566.003
Details	MITRE ATT&CK Techniques	59	T1059.006
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	21	T1036.008
Details	MITRE ATT&CK Techniques	40	T1027.009
Details	MITRE ATT&CK Techniques	160	T1027.002
Details	MITRE ATT&CK Techniques	125	T1555.003
Details	MITRE ATT&CK Techniques	99	T1539
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	102	T1020
Details	MITRE ATT&CK Techniques	126	T1567
Details	Url	1	https://isc.sans.edu/diary/facebook
Details	Url	1	https://www.linkedin.com/posts/ranlocar_introducing-phosteal-a-new-vietnamese-stealer-activity-7122212928040148992-l-sh
Details	Url	4	https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business
Details	Url	1	https://www.withsecure.com/en/expertise/research-and-innovation/research/ducktail-an-infostealer-malware
Details	Url	1	https://labs.yarix.com/2023/06/winton-a-russian-speaking-scam-group-targeting-middle-eastern-customers
Details	Windows Registry Key	582	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run