Distributed on a Stealer-as-a-Service business model, the malware raids session cookies to hijack viable business accounts on social media platforms.
Another information stealer (info stealer) has been analyzed, that targets users in Vietnam.
Active since Aug 2022, the malware is notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices. By assessing whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance, the malware can hijack business Facebook accounts, post political content aimed at shaping public opinion, or leverage these profiles for a range of financially motivated purposes such as phishing and affiliate scams.
The developers of the malware are even offering it to other cybercriminals under the Stealer-as-a-Service model advertised not just on the Dark Web, but on Facebook, YouTube, and other social media sites.
Codenamed VietCredCare by that Group-IB researchers who discovered it, the info stealer has victimized 44 of Vietnam’s 63 provinces, with the highest concentration of compromised devices located in Hanoi (51% of victims), Ho Chi Minh City (33%) and Da Nang (3%). Other casualties include:
- 9 Vietnamese government agencies
- the National Public Service Portals of 12 cities/provinces
- 65 universities
- 4 e-commerce platforms
- 21 banks
- 12 major Vietnamese enterprises
VietCredCare’s features include:
- adding itself to the exclusion list of Windows Defender and disabling Window’s Antimalware Scan Interface
- the ability to identify business accounts that have a positive Meta ad credit balance and is also running live advertisements.
- the ability to identify the folder path with browser profiles in order to exfiltrate cookies and login data
- exfiltration of data from Chrome, Chromium, MS Edge, and the Cốc Cốc browser. Login credentials and cookie data are sent to the malware’s operators in their bespoke Telegram bot channel in two separate .txt files. A message outlining whether the user is advertising on Facebook is also provided.
Methods of distribution
Cybercriminals can either purchase access to a botnet managed by the VietCredCare’s developers, or procure access to the source code for resale or personal use. Users are given access to a bespoke Telegram bot that is responsible for managing the exfiltration and delivery of credentials from a stolen device. More than 20 separate Telegram bots linked to VietCredCare were discovered by Group-IB researchers.
Attacks are launched via phishing attacks to try and get internet users to unwittingly download and open VietCredCare on their device. The content of these phishing sites are distributed through social media posts and instant messaging platforms, frequently including free downloads of legitimate software or files. The downloadable payload is often camouflaged as a harmless file, by using similarly legitimate icons or filenames for example: a file with an icon similar to that of Acrobat Reader (PDF).
According to Group-IB’s Head of High-Tech Crime Investigation Department, Vesta Matveeva: “VietCredCare (is run) in a complex web of connections between the malware’s developers, buyers, and victims, and the malware is still being promoted among the Vietnamese cybercriminal community. Its core functionality to filter out Facebook credentials puts organizations in both the public and private sectors at risk of reputational and financial damages if their sensitive accounts are compromised. We urge users to ensure they enable two-factor authentication on their social media accounts and avoid clicking on any untrusted links.”
