Operation Duck Hunt - A peak behind the curtain of DuckTail
10-19, 16:45–17:15 (Europe/Luxembourg), Salle Europe

This talk delves into the captivating story of DuckTail, a notorious infostealer operation that emerged as one of the prominent threats in 2022 and 2023. With a global reach, DuckTail effectively targeted both individuals and organizations, leveraging customized malware and innovative delivery techniques. Thriving in the remote work landscape driven by the COVID pandemic, DuckTail's success did not shield them from committing critical operational security (OPSEC) mistakes. These lapses ultimately led to the complete exposure of their operation and the individuals responsible for it. Join me as we explore the gripping pursuit of these cybercriminals, unraveling their intricate methods and providing an exceptional glimpse into the workings of a criminal enterprise.

Through an extensive investigation into DuckTail's infrastructure, a critical vulnerability in their exfiltration methodology was uncovered. The exploitation of this flaw resulted in the acquisition of numerous screenshots extracted from the personal machines of the threat actors, exposing glaring deficiencies in operational security (OPSEC) practices.

These screenshots provide a revealing glimpse into various aspects of DuckTail's operations. Notably, they divulge fragments of the infostealer's source code, reveal the techniques employed by the threat actors to disseminate the malware, and unveil confidential dialogues exchanged among the perpetrators, ultimately leading to their identification.

This talk will delve into the intricacies of DuckTail's exfiltration infrastructure and its inherent weakness. I will demonstrate the threat actors' methods of infection and delivery. Furthermore, attendees will gain invaluable insights into the clandestine activities that unfolded behind the scenes, providing a comprehensive understanding of the broader context.

It will shed light on the concealed elements of DuckTail's operations, offering a unique opportunity to deepen your knowledge of the evolving cyber threat landscape, highlighting how modern criminal enterprises operate and infect their targets.

Pol Thill lives for the hunt! Be it nation-state adversary or eCrime actor, he will explore any means to expose their operations and unmask the individuals hiding behind the digital veil. Drawing upon this expertise, Pol has held different Threat Intelligence positions as well as lead the Luxembourgish cybersecurity team. Cybercriminal investigations are what he thrives for.