Fb advertisers in Vietnam are the goal of a beforehand unknown data stealer dubbed VietCredCare no less than since August 2022.
The malware is “notable for its means to robotically filter out Fb session cookies and credentials stolen from compromised gadgets, and assess whether or not these accounts handle enterprise profiles and in the event that they preserve a constructive Meta advert credit score steadiness,” Singapore-headquartered Group-IB stated in a brand new report shared with The Hacker Information.
The top purpose of the large-scale malware distribution scheme is to facilitate the takeover of company Fb accounts by concentrating on Vietnamese people who handle the Fb profiles of distinguished companies and organizations.
Fb accounts which have been efficiently seized are then utilized by the menace actors behind the operation to put up political content material or to propagate phishing and affiliate scams for monetary acquire.
VietCredCare is obtainable to different aspiring cybercriminals beneath the stealer-as-a-service mannequin and marketed on Fb, YouTube, and Telegram. It is assessed to be managed by Vietnamese-speaking people.
Clients both have the choice of buying entry to a botnet managed by the malware’s builders, or procure entry to the supply code for resale or private use. They’re additionally supplied a bespoke Telegram bot to handle the exfiltration and supply of credentials from an contaminated machine.
The .NET-based malware is distributed by way of hyperlinks to bogus websites on social media posts and immediate messaging platforms, masquerading as professional software program like Microsoft Workplace or Acrobat Reader to dupe guests into putting in them.
One among its main promoting factors is its means to extract credentials, cookies, and session IDs from internet browsers like Google Chrome, Microsoft Edge, and Cốc Cốc, indicating its Vietnamese focus.
It may possibly additionally retrieve a sufferer’s IP tackle, verify if a Fb is a enterprise profile, and assess whether or not the account in query is at the moment managing any advertisements, whereas concurrently taking steps to evade detection by disabling the Home windows Antimalware Scan Interface (AMSI) and including itself to the exclusion checklist of Home windows Defender Antivirus.
“VietCredCare’s core performance to filter out Fb credentials places organizations in each the private and non-private sectors prone to reputational and monetary damages if their delicate accounts are compromised,” Vesta Matveeva, head of the Excessive-Tech Crime Investigation Division for APAC, stated.
Credentials belonging to a number of authorities businesses, universities, e-commerce platforms, banks, and Vietnamese firms have been siphoned by way of the stealer malware.
VietCredCare can be the newest addition to a protracted checklist of stealer malware, reminiscent of Ducktail and NodeStealer, that has originated from the Vietnamese cyber prison ecosystem with the intent of concentrating on Fb accounts.
That having stated, Group-IB instructed The Hacker Information there is no such thing as a proof at this stage that means connections between VietCredCare and the opposite strains.
“With Ducktail, the capabilities are totally different, and whereas there are some similarities with NodeStealer, we notice that the latter makes use of a [command-and-control] server as an alternative of Telegram, plus their alternative of victims is totally different,” the corporate stated.
“The stealer-as-a-service enterprise mannequin allows menace actors with little to no technical expertise to enter the cybercrime area, which ends up in extra harmless victims being harmed.”
