Ducktail malware seeks to take over Facebook business accounts for financial gain

Ducktail malware is a malicious program developed in 2021 and associated with Vietnamese cybercriminals. It was designed to steal Facebook Business accounts. Threat actors manually search Facebook's Business platform for targets. They look for victims who have Admin access or a Finance editor role. Hijacking such an account gives access to financial data.
| NAME | Ducktail |
| TYPE | Trojan, password-stealing virus, spyware |
| SYMPTOMS | No symptoms are visible to the user until the malware hijacks Facebook accounts |
| DISTRIBUTION | Social engineering, infected email attachments, “cracked” software installations |
| DANGERS | The malicious program can steal users' passwords, and banking information, which could lead to identity theft, and financial losses |
| ELIMINATION | Use professional security tools to eliminate all the malicious files |
| FURTHER STEPS | Use a maintenance tool like FortectIntego to fix any damaged files and optimize the machine |
Ducktail malware in detail
Once the malicious program infiltrates the system it starts checking for installed browsers. Then it tries to identify cookie[1] paths and extract those related to Facebook sessions. Cookies can store data that allows the malware to gain access to the victim's Facebook account.
Ducktail malware also checks if 2FA (two-factor authentication) is required. If it is, it tries to gain access to the recovery codes. The goal is to steal Facebook Business accounts through personal accounts. Once it gains control, the virus changes the business emails to the emails of cybercriminals.
It starts collecting names, verification statuses, account numbers, ad spending and payment cycles, account permissions, the currency, owners, member roles, client data, etc. This can result in serious privacy issues, monetary losses, and even identity theft.
If you suspect that you are infected by this malicious program you should immediately change the passwords of all your Facebook accounts to strong passwords and contact Facebook's support. We also recommend setting up 2FA.

Distribution methods
The infection method is specifically made for each target. Security researchers have found that in some instances the infostealer malware was delivered using the LinkedIn business networking platform. Malware is usually spread using social engineering methods.[2]
Hackers can use email to deliver infected attachments. Often, the emails are disguised as important and urgent messages from well-known companies. Crooks can embed malicious links or convince people to open attachments which enable the malicious program to start.
Another common way that users get infected is by installing “cracked” software.[3] People often use peer-to-peer file-sharing and freeware platforms, Torrent websites. Even though it can be enticing to get expensive software for free, such platforms are the perfect breeding ground for all kinds of malware, not to mention that it is illegal.
Cybercriminals also use software vulnerabilities[4] to deliver their malicious programs. It is extremely important to keep your operating system and software updated. Developers regularly release security patches that take care of potential security risks.
The removal process
It can be very difficult to detect and remove Ducktail malware on time because it usually operates without showing any visible indications of its presence. It may take weeks, or even months for the victim to notice the effects of the virus activity. If you want to prevent such threats from entering your machine in the future, you should use professional security tools.
A PC without an antivirus is like a house without a door. Anti-malware tools can remove the intruders before they can do any changes to your system. SpyHunterCombo Cleaner and MalwarebytesMalwarebytes are great tools that you can use for the full elimination of Ducktail. We do not recommend performing the removal manually as you can leave some traces behind which could result in the renewal of the infection.
Some Trojan-based programs can block your security software and prevent you from accessing the settings for malware removal. If malware is not letting you use antivirus in normal mode, access Safe Mode and perform a full system scan from there:
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.

Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.

- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.

- Select Troubleshoot.

- Go to Advanced options.

- Select Startup Settings.

- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.

Once you reach Safe Mode, launch SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or another reputable antivirus, update it with the latest definitions and perform a full system scan to eradicate malware and all its malicious components.
Repair the damaged operating system
Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are nothing unusual after a malware infection. These types of intruders can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc. Once a system file is damaged, antivirus software cannot fix it.
Manual troubleshooting of such damage is also very complicated and can take a long time. This is why FortectIntego was developed. It can fix a lot of the damage caused by an infection like this. Blue Screen errors, freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this useful maintenance tool, you could prevent yourself from having to reinstall Windows completely.
- Download the application by clicking on the link above
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

If you experience setting changes in your browsers, like the homepage, new tab address, redirects, or push notifications, you can look for instructions on how to deal with those issues below this article. There is a big chance that the malware automatically installed other threats that could cause unwanted symptoms in your browsers. Guides are available for Google Chrome, Mozilla Firefox, MS Edge, and Internet Explorer.
Remove from Microsoft Edge
Delete unwanted extensions from MS Edge:
- Select Menu (three horizontal dots at the top-right of the browser window) and pick Extensions.
- From the list, pick the extension and click on the Gear icon.
- Click Remove.

Clear cookies and other browser data:
- Click on the Menu (three horizontal dots at the top-right of the browser window) and select Settings > Privacy, search, and services..
- Under Clear browsing data, pick Choose what to clear.
- Select Cookies and other site data and Cached images and files. (apart from passwords, although you might want to include Media licenses as well, if applicable) and click on Clear.

Restore new tab and homepage settings:
- Click the menu icon and choose Settings.
- Then find On startup section.
- Click Remove next to any suspicious startup page.
Reset MS Edge if the above steps did not work:
- Press on Ctrl + Shift + Esc to open Task Manager.
- Click on More details arrow at the bottom of the window.
- Select Details tab.
- Now scroll down and locate every entry with Microsoft Edge name in it. Right-click on each of them and select End Task to stop MS Edge from running.

Instructions for Chromium-based Edge
Delete extensions from MS Edge (Chromium):
- Open Edge and click select Settings > Extensions.
- Delete unwanted extensions by clicking Remove.

Clear cache and site data:
- Click on Menu and go to Settings.
- Select Privacy, search and services.
- Under Clear browsing data, pick Choose what to clear.
- Under Time range, pick All time.
- Select Clear now.

Reset Chromium-based MS Edge:
- Click on Menu and select Settings.
- On the left side, pick Reset settings.
- Select Restore settings to their default values.
- Confirm with Reset.
- This will disable extensions and reset startup pages but will not delete bookmarks, saved passwords, or browsing history.

Remove from Mozilla Firefox (FF)
Remove dangerous extensions:
- Open Mozilla Firefox browser and click on the Menu (three horizontal lines at the top-right of the window).
- Select Add-ons.
- In here, select the unwanted extension and click Remove.

Reset the homepage:
- Click three horizontal lines at the top right corner to open the menu.
- Choose Settings.
- Under Home, set your preferred homepage and new tab settings.
Clear cookies and site data:
- Click Menu and pick Settings.
- Go to Privacy & Security section.
- Scroll down to locate Cookies and Site Data.
- Click on Clear Data...
- Select Cookies and Site Data and Temporary cached files and pages, then click Clear.

Reset Mozilla Firefox
If clearing the browser as explained above did not help, reset Mozilla Firefox:
- Open Mozilla Firefox browser and click the Menu.
- Go to Help and then choose Troubleshooting Information.

- Under Give Firefox a tune up section, click on Refresh Firefox...
- Once the pop-up shows up, confirm the action by pressing on Refresh Firefox.

Remove from Google Chrome
Delete malicious extensions from Google Chrome:
- Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
- In the newly opened window, you will see all the installed extensions. Uninstall all suspicious extensions related to the unwanted program by clicking Remove.

Clear cache and web data from Chrome:
- Click on Menu and pick Settings.
- Under Privacy and security, select Clear browsing data.
- Select Browsing history, Cookies and other site data, as well as Cached images and files.
- Click Clear data.

Change your homepage:
- Click menu and choose Settings.
- Look for a suspicious site in the On startup section.
- Click on Open a specific or set of pages and click on three dots to find the Remove option.
Reset Google Chrome:
If the previous methods did not help you, reset Google Chrome to eliminate all the unwanted components:
- Click on Menu and select Settings.
- In the Settings, scroll down and click Advanced.
- Scroll down and locate Reset and clean up section.
- Now click Restore settings to their original defaults.
- Confirm with Reset settings.

Was this guide helpful?
Be the first to comment