Cyble researchers recently found a unique combination of stealer, keylogger, and clipper malware bundled as a malicious software package to perform multiple malicious activities. The malware named DuckLogs is available as a MaaS on cybercrime forums for a relatively low price which is one month ($19.99 per month), three months ($39.99 for three months), and lifetime ($69.99).
DuckLogs’ capabilities
DuckLogs mainly includes an information stealer and a RAT component. The malware is most likely distributed using spam or phishing emails.
The info-stealer component includes more than 100 individual modules that target messaging apps, emails, web browsers, VPN account data, passwords, cookies, login data, histories, and cryptocurrency wallets.
The RAT component supports functions that allow fetching files from the C2 server and running them on the host. It can, moreover, display a crash screen, cause system shutdown and restart, lock the device, or open URLs in the browser.
In addition, it has a clipper module, logger module, disablers module, grabber module, and control module to perform several malicious activities.
It offers a persistence mechanism, process hollowing to launch payloads in memory, and UAC bypass.
The malware supports Telegram notifications, encrypted logs and communication, and code obfuscation.
DuckLogs MaaS development offerings and features
The DuckLogs’ web panel is currently available on four Clearnet domains. The dashboard page of its web panel displays overall global statistics of the victims infected by the malware.
It offers powerful features such as building the malware binary, monitoring victims’ stolen logs, and downloading them.
Along with payload-building features, it provides threat actors with options for additional modules and functions to be added to the final malware build.
It has a builder page for the stealer and dropper, which provides some customized add-on functionalities such as adding an exclusion for Windows Defender, payload execution delay, or disabling Task Manager on the host.
Conclusion
Cyble researchers observed multiple active instances of DuckLogs C2 servers in the wild, indicating that it is an emerging threat. Its wide range of functionality and availability as a MaaS is alarming for several reasons. Users are recommended not to open suspicious messages/links from untrusted sources, avoid downloading executables from known sites, and keep security software up to date.