A new threat dubbed VietCredCare has emerged, targeting Facebook advertisers in Vietnam since at least August 2022. This sophisticated information stealer is designed to automatically filter Facebook session cookies and credentials stolen from compromised devices, specifically targeting individuals managing business profiles with positive ad credit balances. Once seized, these accounts are exploited to disseminate political content or propagate phishing and affiliate scams, posing significant reputational and financial risks to affected organizations.
Offered as a stealer-as-a-service model, VietCredCare is advertised on various platforms including Facebook, YouTube, and Telegram, primarily managed by Vietnamese-speaking individuals. Potential customers have the option to purchase access to a botnet managed by the malware developers or acquire the source code for resale or personal use, along with a bespoke Telegram bot for managing credential exfiltration. The malware is distributed through links to bogus sites masquerading as legitimate software, targeting popular web browsers such as Google Chrome and Microsoft Edge, further underscoring its focus on the Vietnamese cybercriminal ecosystem.
VietCredCare’s capabilities extend beyond credential theft, encompassing features such as IP address retrieval, business profile verification on Facebook, and evasion techniques to bypass detection by security software. Its emergence adds to a growing list of stealer malware originating from the Vietnamese cybercrime landscape, although there’s no evidence linking VietCredCare to other strains such as Ducktail and NodeStealer. This underscores the evolving threat landscape and the accessibility of cybercrime tools, enabling threat actors with limited technical skills to enter the realm of cybercrime, ultimately resulting in more innocent victims falling prey to malicious activities. The sophistication and persistence of VietCredCare highlight the critical importance of robust security measures to mitigate the risks posed by such advanced cyber threats.
