New PhP version of Ducktail
A new version of the Ducktail malware was found. Originally, Ducktail was first documented in July 2021 and focused on hijacking Facebook and advertising accounts. It tried to lure users with a Facebook business account into downloading a file that supposedly contained Facebook advertising information. After being downloaded and executed, it used a Telegram channel for command and control and exfiltrating data. The data that were affected were cookies in which personal data and access tokens were stored.
Compared to the version of 2021, the new version is using PHP instead of .NetCore and is mainly distributed through cracked software versions. Instead of using Telegram for exfiltration, a PHP script is used for doing the job.
For more insights on this new PhP version of Ducktail, check this article by The Hacker News: New PHP Version of Ducktail Malware Hijacking Facebook Business Accounts.
New vulnerability: Log4Text
A new vulnerability dubbed “Log4Text” (CVE-2022-42889, CVSS 9,8) was discovered by the GitHub Security Lab team in Apache Commons Text.
Apache Commons Text is used for text operations, including substituting placeholders in texts with values, which were looked up. When using the substitution feature, there is a chance to trigger code executions or contact with remote servers. Attackers could use this by inserting malicious code into the library default configuration, leading to a remote code execution.
What can be done to counter this? It is recommended to update Apache Commons Text to the version 1.10 which closes this vulnerability.
Interested in knowing more? Feel free to have a look at the sources below:
- Why Log4Text is not another Log4Shell (malwarebytes.com)
- CVE-2022-42889: Keep Calm and Stop Saying “4Shell” (rapid7.com)
- CVE-2022-42889: interpolations that allow RCE disabled in Commons Text 1.10.0 (blogs.apache.org)
- CVE-2022-42889 Detail (nvd.nist.gov)
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.