Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed VietCredCare at least since August 2022.
The malware is “notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance,” Singapore-headquartered Group-IB said in a new report shared with The Hacker News.
The end goal of the large-scale malware distribution scheme is to facilitate the takeover of corporate Facebook accounts by targeting Vietnamese individuals who manage the Facebook profiles of prominent businesses and organizations.
Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain.
VietCredCare is offered to other aspiring cybercriminals under the stealer-as-a-service model and advertised on Facebook, YouTube, and Telegram. It’s assessed to be managed by Vietnamese-speaking individuals.
Customers either have the option of purchasing access to a botnet managed by the malware’s developers, or procure access to the source code for resale or personal use. They are also provided a bespoke Telegram bot to manage the exfiltration and delivery of credentials from an infected device.
The .NET-based malware is distributed via links to bogus sites on social media posts and instant messaging platforms, masquerading as legitimate software like Microsoft Office or Acrobat Reader to dupe visitors into installing them.
One of its major selling points is its ability to extract credentials, cookies, and session IDs from web browsers like Google Chrome, Microsoft Edge, and Cốc Cốc, indicating its Vietnamese focus.
It can also retrieve a victim’s IP address, check if a Facebook is a business profile, and assess whether the account in question is currently managing any ads, while simultaneously taking steps to evade detection by disabling the Windows Antimalware Scan Interface (AMSI) and adding itself to the exclusion list of Windows Defender Antivirus.
“VietCredCare’s core functionality to filter out Facebook credentials puts organizations in both the public and private sectors at risk of reputational and financial damages if their sensitive accounts are compromised,” Vesta Matveeva, head of the High-Tech Crime Investigation Department for APAC, said.
Credentials belonging to several government agencies, universities, e-commerce platforms, banks, and Vietnamese companies have been siphoned via the stealer malware.
VietCredCare is also the latest addition to a long list of stealer malware, such as Ducktail and NodeStealer, that has originated from the Vietnamese cyber criminal ecosystem with the intent of targeting Facebook accounts.
That having said, Group-IB told The Hacker News there is no evidence at this stage that suggests connections between VietCredCare and the other strains.
“With Ducktail, the functions are different, and while there are some similarities with NodeStealer, we note that the latter uses a [command-and-control] server instead of Telegram, plus their choice of victims is different,” the company said.
“The stealer-as-a-service business model enables threat actors with little to no technical skills to enter the cybercrime field, which results in more innocent victims being harmed.”
