Extra credit: Group-IB uncovers new VietCredCare information stealer targeting Facebook advertisers

Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has today released a new blog post detailing its discovery of a new information stealer targeting users in Vietnam. The malware, codenamed VietCredCare by Group-IB’s High-Tech Crime Investigation unit, has been active since at least August 2022 and is notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance. By taking over business Facebook accounts, cybercriminals can either post political content aimed at shaping public opinion or leverage these profiles for a range of financially-motivated purposes, such as phishing and affiliate scams, the malicious redirection of web traffic, or selling stolen credentials. The developers of the malware offer it to other cybercriminals under the Stealer-as-a-Service model.

Figure 1. VietCredCare profile

Throughout the course of their research, Group-IB experts discovered that there were victims of VietCredCare located in 44 of Vietnam’s 63 provinces, with the highest concentration of compromised devices located in Hanoi (51% of victims), Ho Chi Minh City (33%) and Da Nang (3%). Alongside Facebook logins and passwords, the logs exfiltrated by VietCredCare contained credentials for nine Vietnamese government agencies, the National Public Service Portals of 12 cities or provinces, 65 universities, 4 e-commerce platforms, 21 banks, and 12 major Vietnamese enterprises. Group-IB issued notifications to affected organizations and these findings were also shared with the Vietnamese law enforcement authorities in order to assist their efforts to mitigate this threat, in line with the company’s zero-tolerance policy to cybercrime.

Stealer as a service

VietCredCare is managed entirely under the Stealer-as-a-Service model. The information stealer is advertised not just on the dark web, but on Facebook, YouTube, and other social media sites to potential cybercriminals looking to launch their own attacks.

Figure 2. Example of an advertisement for VietCredCare posted on Facebook (original in Vietnamese plus translation)

Group-IB investigators discovered that cybercriminals can either purchase access to a botnet managed by the malware’s developers, or procure access to the source code for resale or personal use. Cybercriminals who procure VietCredCare are given access to a bespoke Telegram bot that is responsible for managing the exfiltration and delivery of credentials from a stolen device. More than 20 separate Telegram bots linked to VietCredCare were discovered by Group-IB investigators.

Panning for credentials

The cybercriminals who procured VietCredCare reach their potential victims through phishing attacks to try and get internet users to unwittingly download and open VietCredCare on their device. The content of these phishing sites, which are distributed through social media posts and instant messaging platforms, frequently includes offers to download legitimate software or files, and the downloadable payload is often masqueraded as a harmless file, by using similarly legitimate icons or filenames for example: a file with an icon similar to Acrobat Reader (PDF).

Among its evasion tactics, VietCredCare is able to add itself to the exclusion list of Windows Defender and disable AMSI functionality. Other notable features of VietCredCare include the ability to identify Facebook accounts and assess whether they are business profiles and whether the account has a positive Meta ad credit balance and is also running live advertisements. The information stealer can also identify the folder path with browser profile in order to exfiltrate cookies and login data, and has functionality to exfiltrate from Chrome, Chromium, MS Edge, and Cốc Cốc. Login credentials and cookie data are sent to the malware’s operators in their bespoke Telegram bot channel in two separate .txt files. A message outlining whether the user is advertising on Facebook is also provided.

Template of message delivered to VietCredCare operator in their Telegram channel:

%IP%

Đã kiểm tra tài khoản quảng cáo xong

số lượng quảng cáo = 0 + %FACEBOOK_DATA%.

Translation: %IP%

Checking Facebook Ads account has been checked

Number of ads = 0 + %FACEBOOK_DATA%)

Figure 3. Screenshot of a YouTube video advertising VietCredCare demonstrating how victims’ credentials are presented to the buyer.

“VietCredCare is a sophisticated piece of malware that is being distributed under the Stealer-as-a-Service model. Group-IB’s study has revealed a complex web of connections between the malware’s developers, buyers, and victims, and the malware is still being promoted among the Vietnamese cybercriminal community. VietCredCare’s core functionality to filter out Facebook credentials puts organizations in both the public and private sectors at risk of reputational and financial damages if their sensitive accounts are compromised, and we urge users to ensure they enable two-factor authentication on their social media accounts and avoid clicking on any untrusted links.”

Vesta Matveeva

Group-IB’s Head of High-Tech Crime Investigation Department, APAC

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.