VietCredCare Stealer
Since August 2022, Facebook advertisers in Vietnam have been attacked by a previously unidentified information stealer called VietCredCare. This malware stands out for its capability to automatically sift through Facebook session cookies and credentials pilfered from compromised devices. Afterward, it evaluates whether the targeted accounts oversee business profiles and possess a favorable Meta ad credit balance.
The ultimate objective of this widespread malware attack campaign is to enable the unauthorized takeover of corporate Facebook accounts. The focus is on individuals in Vietnam who manage the Facebook profiles of prominent businesses and organizations. Once successfully compromised, these seized Facebook accounts become tools for the threat actors behind the operation. They utilize these accounts to disseminate political content or promote phishing and affiliate scams, ultimately aiming for financial gain.
Table of Contents
The VietCredCare Stealer Is Being Offered for Sale to Other Crybercriminals
VietCredCare operates as a Stealer-as-a-Service (SaaS), and its availability extends to aspiring cybercriminals. Advertisements for this service can be found on various platforms, including Facebook, YouTube and Telegram. The operation is believed to be overseen by individuals proficient in the Vietnamese language.
Prospective customers can choose between purchasing access to a botnet managed by the malware's developers or acquiring the source code for personal use or resale. Additionally, customers are supplied with a customized Telegram bot designed to handle the extraction and delivery of credentials from infected devices.
This malware, built on the .NET framework, is disseminated through links shared in social media posts and instant messaging platforms. It cleverly disguises itself as legitimate software, such as Microsoft Office or Acrobat Reader, tricking users into unwittingly installing malicious content from deceptive websites.
The VietCredCare Stealer could Compromise Sensitive Data
The VietCredCare Stealer distinguishes itself from the rest of stealer malware threats with its prominent feature of extracting credentials, cookies, and session IDs from well-known Web browsers like Google Chrome, Microsoft Edge, and Cốc Cốc, underscoring its focus on the Vietnamese context.
Beyond this, it goes a step further by retrieving a victim's IP address, discerning if a Facebook account is associated with a business profile, and evaluating whether the account is currently managing any advertisements. Simultaneously, it employs evasion tactics to avoid detection, such as disabling the Windows Antimalware Scan Interface (AMSI) and adding itself to the exclusion list of the Windows Defender Antivirus.
The core functionality of VietCredCare, particularly its proficiency in filtering out Facebook credentials, poses a significant risk to organizations in both the public and private sectors. If sensitive accounts are compromised, it can lead to severe reputational and financial consequences. The targets of this stealer malware have included credentials from various entities, including government agencies, universities, e-commerce platforms, banks and Vietnamese companies.
Several Stealer Threats Have Emerged from Vietnamese Cybercriminal Groups
VietCredCare joins the ranks of stealer malware originating from the Vietnamese cybercriminal ecosystem, alongside predecessors like Ducktail and NodeStealer, all specifically designed to target Facebook accounts.
Despite their shared origin, experts have yet to establish a concrete link between these various stealer strains. Ducktail exhibits distinct functions, and while some similarities exist with NodeStealer, the latter diverges by employing a Command-and-Control (C2) server instead of Telegram, with differences in their target victim profiles.
Nevertheless, the SaaS business model provides an avenue for threat actors with minimal technical expertise to engage in cybercrime. This accessibility contributes to an increase in the number of innocent victims falling prey to such harmful activities.
