By 
Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has today released a new blog post detailing its discovery of a new information stealer targeting users in Vietnam. The malware, codenamed VietCredCare by Group-IB’s High-Tech Crime Investigation unit, has been active since at least August 2022 and is notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance.
RELATED: Stealing your career: Group-IB uncovers ResumeLooters’ data thefts
By taking over business Facebook accounts, cybercriminals can either post political content aimed at shaping public opinion or leverage these profiles for a range of financially-motivated purposes, such as phishing and affiliate scams, the malicious redirection of web traffic, or selling stolen credentials. The developers of the malware offer it to other cybercriminals under the Stealer-as-a-Service model.
Figure 1. VietCredCare threat profile. Source: Group-IB
Throughout the course of their research, Group-IB experts discovered that there were victims of VietCredCare located in 44 of Vietnam’s 63 provinces, with the highest concentration of compromised devices located in Hanoi (51% of victims), Ho Chi Minh City (33%) and Da Nang (3%). Alongside Facebook logins and passwords, the logs exfiltrated by VietCredCare contained credentials for nine Vietnamese government agencies, the National Public Service Portals of 12 cities or provinces, 65 universities, 4 e-commerce platforms, 21 banks, and 12 major Vietnamese enterprises.
Group-IB issued notifications to affected organizations and these findings were also shared with the Vietnamese law enforcement authorities in order to assist their efforts to mitigate this threat, in line with the company’s zero-tolerance policy to cybercrime.
Stealer as a service
VietCredCare is managed entirely under the Stealer-as-a-Service model. The information stealer is advertised not just on the dark web, but on Facebook, YouTube, and other social media sites to potential cybercriminals looking to launch their own attacks.
Figure 2. Example of an advertisement for VietCredCare posted on Facebook (original in Vietnamese plus translation).
Group-IB investigators discovered that cybercriminals can either purchase access to a botnet managed by the malware’s developers, or procure access to the source code for resale or personal use. Cybercriminals who procure VietCredCare are given access to a bespoke Telegram bot that is responsible for managing the exfiltration and delivery of credentials from a stolen device. More than 20 separate Telegram bots linked to VietCredCare were discovered by Group-IB investigators.
Panning for credentials
The cybercriminals who procured VietCredCare reach their potential victims through phishing attacks to try and get internet users to unwittingly download and open VietCredCare on their device. The content of these phishing sites, which are distributed through social media posts and instant messaging platforms, frequently includes offers to download legitimate software or files, and the downloadable payload is often masqueraded as a harmless file, by using similarly legitimate icons or filenames for example: a file with an icon similar to Acrobat Reader (PDF).
Among its evasion tactics, VietCredCare is able to add itself to the exclusion list of Windows Defender and disable AMSI functionality. Other notable features of VietCredCare include the ability to identify Facebook accounts and assess whether they are business profiles and whether the account has a positive Meta ad credit balance and is also running live advertisements. The information stealer can also identify the folder path with browser profile in order to exfiltrate cookies and login data, and has functionality to exfiltrate from Chrome, Chromium, MS Edge, and Cốc Cốc. Login credentials and cookie data are sent to the malware’s operators in their bespoke Telegram bot channel in two separate .txt files. A message outlining whether the user is advertising on Facebook is also provided.
Figure 3.2 Screenshot of a YouTube video advertising VietCredCare demonstrating how victims’ credentials are presented to the buyer.
