A new computer security threat has been detected by research institute Group-IB. The malware, known as VietCredCare, has been targeting Facebook advertisers in Vietnam. Since its emergence in August 2022, VietCredCare has been active in stealing corporate Facebook accounts by automatically extracting Facebook session cookies and credentials from compromised devices. This information stealer goes beyond merely obtaining user information, as it also aims to hijack the accounts of business profiles and assesses positive Meta ad credit balances.
According to Group-IB, VietCredCare is distributed through links to fake websites on social media posts and instant messaging platforms. The links are designed to look like legitimate software download links, such as those for Microsoft Office or Acrobat Reader. Once the malware is installed, it can extract credentials, cookies, and session IDs from various web browsers, including Google Chrome, Microsoft Edge, and Cốc Cốc, a browser that targets the Vietnamese market.
Besides extracting user information, VietCredCare can retrieve a victim’s IP address, identify whether a Facebook account is a business profile, and evaluate if the account currently manages ads. It also has evasion tactics in place, such as disabling the Windows Antimalware Scan Interface (AMSI) and adding itself to the Windows Defender Antivirus exclusion list.
The ramifications of VietCredCare’s activities are alarming. According to the Group-IB report, the malware has impacted several government agencies, universities, e-commerce platforms, banks, and Vietnamese companies by siphoning sensitive information. Threat actors have been using the stolen Facebook accounts to post political content or propagate phishing and affiliate scams for financial gain. The scope of this malware distribution is wide, targeting not only individuals but also the Facebook profiles of prominent Vietnamese businesses and organizations.
The Group-IB report also sheds light on VietCredCare’s “Stealer-as-a-Service” model. The malware is being offered to aspiring cybercriminals under this model and is advertised through various platforms such as Facebook, YouTube, and Telegram, indicating that it is managed by Vietnamese-speaking individuals.
Customers who purchase access to VietCredCare are provided a variety of options, including accessing a botnet managed by the developers of the malware, procuring access to the source code for resale or personal use, and being offered a customized Telegram bot to control the exfiltration and delivery of credentials from infected devices.
Given the serious threats posed by VietCredCare, organizations and individuals are advised to take preventive measures against malware-based attacks. It is essential to install software updates regularly, use antivirus software, and use strong passwords. Caution when clicking on links or downloading attachments from unknown sources is especially important to avoid potential malware like VietCredCare.
Overall, VietCredCare is a sophisticated malware that poses a significant threat to businesses and their online presence. Its ability to target and steal credentials from business-related Facebook accounts calls for enhanced cybersecurity measures and awareness among users and organizations. Perimeter81 malware protection is recommended as a way to block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. These harmful entities can wreak havoc on systems and networks.