New DuckLogs malware service claims having thousands of ‘customers’

A new malware-as-a-service (MaaS) operation named ‘DuckLogs’ has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host.

DuckLogs is entirely web-based. It claims to have thousands of cybercriminals paying a subscription to generate and launch more than 4,000 malware builds.

DuckLogs main page
DuckLogs promo brochure (Cyble)

The operators appear to provide additional services to some customers, helping them to distribute the payload, a tool to drop files, and an extension changer.

The web panel shows that more than 2,000 cyberscriminals are using the malicious platform and the current victim count is above 6,000.

DuckLogs panel
DuckLogs panel overview (Cyble)

Cyble’s malware researchers caught the DuckLogs malware and published a technical analysis of their findings.

DuckLogs features

DuckLogs includes mainly an information stealer and a remote access trojan (RAT) component but it has more than 100 individual modules that target specific applications.

Below is a list of some of the data and applications the info-stealing component targets:

  • Hardware and software information
  • Files stored in local disks
  • Account credentials and cookies stored in web browsers
  • Thunderbird and Outlook emails
  • Discord, Telegram, Signal, and Skype messaging data
  • NordVPN, ProtonVPN, OpenVPN,and CrypticVPN account data
  • FileZilla and TotalCommander data
  • Steam, Minecraft, Battle.Net, and Uplay accounts
  • Metamask, Exodus, Coinomi, Atomic, and Electrum cryptocurrency wallets

The RAT component supports functions that allow fetching files from the command and control (C2) server and run them on the host, display a crash screen, shutdown, restart, logout, or lock the device, or open URLs in the browser.

Other DuckLogs modules allow logging keystrokes to steal sensitive information, a clipper (typically used to hijack cryptocurrency transactions), and a tool to take screenshots.

Cyble researchers say that the malware also supports Telegram notifications, encrypted logs and communication, code obfuscation, process hollowing to launch payloads in memory, a persistence mechanism, and a bypass for the Windows User Account Control.

Process hollowing for loading malware into memory
Process hollowing for loading malware into memory (Cyble)

The web-based panel is currently available on four clearnet domains and appears to provide powerful payload-building features with options for the modules and functions to be added to the final malware build.

Additionally, the builder provides some anti-evasion choices, like adding an exclusion for Windows Defender, payload execution delay, or disabling the Task Manager on the host.

Payload builder options
Payload builder options (Cyble)

Cyble says that the initial infection vector is likely to occur over email (spam, phishing). The researchers recommend users to check the authenticity of suspicious messages and not to open links from untrusted sources.

Furthermore, sensitive data copied to clipboard should be carefully inspected after pasting it to ensure that hackers have not changed details such as the destination of a transaction.

Another useful precaution is to avoid downloading executables from torrents or shady sites, and to keep security software up to date.

Source: www.bleepingcomputer.com