Get Help Now

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:


    Date: 8/8/2022

    Facebook Business Accounts Hijacked by Malware


    New malware named Ducktail is being delivered via phishing campaigns, aiming to hijack Facebook business profiles and advertising platform accounts. This attack starts by actors targeting LinkedIn account users and using the Ducktail malware to pivot and hijack Facebook sessions by stealing browser cookies on the systems used by victims of the phishing campaign. 

    Potential Impact

    The primary objective for threat actors behind this malware is financial gain. The data accessed after successfully compromising an account include credit card or other transactional data. The malware also can extract information from any web browser on an impacted system. This may consist of accounts outside Facebook.

    Recommended Actions

    This phishing campaign may target individuals that have access to business Facebook accounts, such as those in managerial, digital marketing, digital media, and human resources roles. 

    These individuals should be educated on this threat specifically (also generally) about the indicators of phishing emails. 

    Administrators should ensure that end user systems are protected by Endpoint Detection & Response solutions. 

    Lastly, users should ensure that multifactor authentication is enabled for business social media accounts.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Microsoft Office Macros Targeted by Emotet  as Initial Infection Vector


      Security researchers at EclecticIQ have recently observed Emotet delivered through Microsoft Excel macros. These macros utilize the regsvr32[.]exe binary to install the malicious software. The first stage of these attacks is a spam email campaign containing Office XLS documents with embedded macros. Opening these files will ask the user to ‘Enable Content’ to run the macro(s). Once enabled, these macros download the Emotet Loader, which drops the Emotet payload into memory.

      Potential Impact

      Emotet is an incredibly versatile malware strain with ever-evolving tactics to evade security tools and maintain persistence on compromised hosts. Once installed, Emotet is a powerful command and control platform that allows threat actors to conduct post-compromise actions.

      Recommended Actions

      Because of Emotet’s footprint in the modern-day malware landscape, the security community has created many techniques to defend against it. Maintaining updated rules in endpoint detection and response (EDR) tools can assist organizations in detecting Emotet infections. This includes public listings of Indicators of compromise (IoCs) by the MITRE group and YARA detection tools via

      Additionally, organizations should leverage threat intelligence feeds to get quick updates on Emotet’s capabilities and attack paths.


      Exim Mail Server Patches Heap Overflow Vulnerability Without Labeling it a Security Update


      According to Dr. Johannes Ullrich from the SANS Internet Storm Center, Exim, a popular Linux mail server application, was silently patched last week. This patch fixed a buffer overflow vulnerability but was not labeled as a security update. Exim versions prior to 4.95 are vulnerable. Details on the vulnerability are available on Github.

      Potential Impact

      Because this patch was not labeled as a security update, many Linux distributions will be slow to roll out packages with the updated Exim code. Additionally, vulnerability scanners may not detect this vulnerability because it isn’t yet labeled as ‘security relevant. According to Dr. Ullrich, the details provided about this vulnerability on GitHub can be used to develop an exploit.

      Recommended Actions

      Upgrade Exim to the latest version; disabling sender hostname resolution may be an effective workaround (this is a good lesson in patching strategies). 

      GreyCastle Security recommends ensuring that all patches, including low-priority ones, are included in vulnerability management programs.

      SANS Daily Network Security Podcast (Stormcast) for Monday, August 8th, 2022 – SANS Internet Storm Center
      NVD – CVE-2022-37452 (
      exim_overflow/ at main · ivd38/exim_overflow (

      RapperBot Malware Targeting Linux Servers


      A new IoT botnet malware named RapperBot targets Linux servers running SSH services. This botnet is similar to the well-known Mirai botnet and has built-in capability to brute-force SSH credentials and some advanced capabilities.

      Potential Impact

      Once a system is compromised via RapperBot SSH brute-force and the credentials are sent back to command-and-control servers, the compromised system becomes part of the botnet, which can then be used for carrying out DDoS attacks. 

      Recommended Actions

      Perform periodic scanning to identify and review services hosting in your network that are available over the Internet. Restrict or remove services that are not necessary for business operations, especially for IoT devices. Ensure that default SSH credentials are always changed before implementing systems. 


      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.

      Let’s Discuss Your Cybersecurity Needs

      Contact Us
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Consent to display content from - Youtube
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us