Group-IB discovers new information stealer targeting Vietnam with rare functionality to filter out Facebook accounts with advertising credits
Introduction
In October 2022, an employee of a leading Vietnamese bank received a deceptive link through Zalo, a widely used local messenger. Upon clicking the link, a malicious .zip file was downloaded to their device, which subsequently jeopardized sensitive information stored in the victim’s web browsers.
Upon receiving information of this occurrence, Group-IB specialists jumped into action. Firstly, our Threat Intelligence researchers promptly analyzed the malware sample. Once the initial findings were drawn, Group-IB’s High-Tech Crime Investigation unit joined the battle, commencing an extensive investigation into the malware. Through their analysis, additional samples were discovered, which would reveal a large-scale distribution scheme that was linked to a previously unknown information stealer.
Information stealers are pieces of malware designed to covertly infiltrate computer systems, capture sensitive information such as bank card details, crypto wallet credentials, cookies, and browsing history from web browsers, and then send this data to the malware’s operators. In this case, the information stealer was found to exclusively target users in Vietnam. As a result, the information stealer, which has been active since at least August 2022, has been codenamed VietCredCare by Group-IB.
Figure 1. VietCredCare profile
Group-IB investigators, during their analysis, found multiple different VietCredCare samples for Windows operating system that shared similar capabilities and source code, indicating that the malware’s developers are constantly updating its functionalities. According to Group-IB’s findings, the primary target of the threat actors leveraging VietCredCare is to complete the takeover of corporate Facebook accounts, owing to the stealer’s functionality to automatically filter out credentials for this service.
Our analysis revealed that a significant number of prominent Vietnamese public- and private-sector organizations were at risk of compromise. Group-IB discovered that VietCredCare compromised credentials belonging to users of nine Vietnamese government agencies, the National Public Service Portals of 12 cities or provinces, 65 universities, 4 e-commerce platforms, 21 banks, 12 major Vietnamese enterprises, along with a large number of personal and business social media accounts, with Group-IB issuing notifications to affected organizations.
In total, victim organizations were identified in 44 of Vietnam’s 63 provinces, indicating the significant spread of the stealer across the country. In line with the company’s zero-tolerance policy to cybercrime, Group-IB shared its findings with the Vietnamese law enforcement authorities.
Key Findings
- VietCredCare is a previously unknown information stealer that has been in circulation since at least August 2022.
- The information stealer, which is distributed under the stealer-as-a-service model, is likely managed by Vietnamese-speaking individuals.
- Group-IB discovered individual victims of VietCredCare located in 44 of Vietnam’s 63 provinces.
- The greatest number of victims were located in Hanoi (51% of victims), Ho Chi Minh City (33%) and Da Nang (3%).
- VietCredCare is notable due to its ability to automatically filter out session cookies and credentials for Facebook accounts, and flag if these accounts are managing advertisements and have a positive Meta ad credit balance.
- VietCredCare is used primarily against individuals in Vietnam, with the core target being individuals who manage the profiles of prominent businesses and organizations.
- Taken over Facebook accounts with a large follower base can be leveraged by threat actors to post political content or for financial gain through phishing and affiliate scams, the malicious redirection of web traffic, and the sale of stolen credentials.
- We suppose that VietCredCare was spread through phishing sites, which were shared via social media posts and messaging platforms. These sites claimed to offer the download of legitimate software, and the threat actors disguised the payload with the names and icons of software such as Excel, Word, Acrobat Reader in order to deceive the users.
- Threat actors looking to leverage VietCredCare can purchase access to a botnet managed by the malware’s developers or procure the source code for personal use or resale.
- Each threat actor who purchases access to VietCredCare receives access to their own individual Telegram bot channel, which handles the exfiltration and delivery of stolen data, as well as communication with the malware’s developers. Group-IB discovered more than 20 individual Telegram bot channels during their research.
What’s the meta? Notable functionalities
One functionality of the VietCredCare information stealer was of particular interest to Group-IB researchers. We found that VietCredCare automatically filters out all credentials and session cookies from Facebook.com, and specifically flags Facebook accounts that are currently running advertisements and have a positive balance of Meta ad credits – the currency used to publish adverts on Facebook.
Group-IB experts believe that this functionality exists to assist threat actors in taking over Facebook profiles that belong to prominent businesses and organizations, whose large subscriber base can become a vast audience for politically oriented posts designed to shape public opinion or financially-motivated phishing attacks, other scams, or for selling the compromised credentials to other cybercriminals. As a result, while the information stealer can be used indiscriminately against individuals, it appears that the core target for the threat actors leveraging VietCredCare is to infect the devices of individuals who manage the Facebook profiles of prominent business pages in order to take them over.
Additionally, VietCredCare’s operators used Telegram Bot functionalities to exfiltrate compromised data from infected devices. As of July 2023, Group-IB investigators have discovered more than 20 separate Telegram bots associated with VietCredCare, with each threat actor who purchased access to the information stealer receiving access to their own unique bot channel.
As with many information stealers, VietCredcare is offered under the stealer-as-a-service model, meaning that the developers make the malware available to other cybercriminals for rent or purchase on the cybercriminal underground.
Those who have procured the malware use phishing attacks to try and get victims to unwittingly download and open VietCredCare on their device. The content of the phishing websites, as seen by Group-IB researchers, included offers to download legitimate software or files.
This strategy frequently extends to the actual files hosted on the phishing sites, as the threat actors often use icons and names of files to masquerade the malware as legitimate software such as Excel, Word, Acrobat Reader in order to make it even more difficult for potential victims to spot that the file is malicious. Phishing websites or malicious files can be distributed via Facebook posts, using the accounts the threat actors have taken over, or through messaging platforms such as Facebook Messenger, WhatsApp, and Zalo.
VietCredCare structure
VietCredCare’s stealer-as-a-service campaign impacts three distinct groups: the malware’s developers and its advertisers, its users (buyers), and the victims who unwittingly download it. Let’s go into a little more detail about each of these groups:
Figure 2. Distribution Scheme of the Vietnam Stealer campaign
Developer and advertisers of the stealer
This group refers to the individual(s) who have developed the information stealer, creating its components, managing Telegram bots designed for receiving the data, and distributing the stealer (as a loader) to buyers. Group-IB researchers also found a significant number of advertisements for the information stealer placed not just on the dark web, but on prominent public websites such YouTube and Facebook.
Buyers of the stealer
This group refers to the individuals who procure the information stealer and then leverage it against victims. This is done by hosting a payload that the buyers, through advanced phishing tactics, attempt to get the victim to download onto their device. Once the stealer is on the device and exfiltration is completed, the buyer has access to the victim’s credentials and cookies, with those from Facebook being of greatest importance. Each buyer of the stealer receives access to their own unique Telegram bot channel configured specifically by the threat actor.
The stealer’s buyers may have varied modus operandi for taking over the Facebook accounts of legitimate businesses and organizations. They can either use these accounts to spread misinformation or shape public perception online. Alternatively, they can have more financially-motivated goals, by leveraging accounts with a large number of followers to run phishing campaigns, fake product sales, affiliate scams, attempt to direct traffic to specific websites for the purpose of gaining advertising revenue, or sell the stolen credentials as shown in Figure 3 below.
Figure 3. An example of an advertisement posted in Telegram by an individual offering to sell stolen cookies obtained using the VietCredCare information stealer.
Translation of the advertisement: “Selling data from botnet includes: “scan” (Facebook Business Manager accounts), “via”- Verified information accounts with full databases from Google, Amazon, Ebay… All countries, minimum 100 for sale, who doesn’t know how to harvest ping me for instruction by using UltraViewer, my Telegram or Facebook”
Hunting for buyers: Stealer–as-a-service
During the course of their research, Group-IB researchers discovered multiple Vietnamese-language advertisements posted on Facebook advertising VietCredCare to potential buyers looking to engage in cybercriminal activities. One such example is posted below.
Figure 4. Example of an advertisement for VietCredCare posted on Facebook (original in Vietnamese plus translation)
VietCredCare advertisements also appeared in several notable Vietnamese-language Telegram channels, as evidenced in the below Figure 5.
Figure 5. Example of July 2023 advert for VietCredCare posted on Telegram (Vietnamese-language original and translation).
In both posts above, the advertiser is offering access to a 1MB C# executable file designed to evade antivirus and firewall protection. The malicious software is also capable of masquerading as any legitimate application, in order to increase the likelihood of a victim detecting the malware. Other prominent features of the malware listed in the advertisements include: the ability to steal cookies and password stored in the victim’s browser and the ability to bypass Facebook’s two-factor authentication system (2FA). Once these processes are completed, the threat actor who launched VietCredCare is left with two .txt files: one containing cookies, the other containing passwords.
Group-IB researchers discovered that there were more than 20 individual threat actors leveraging the same sample of VietCredCare in their attacks. We also found an interesting case in which one buyer attempted to modify the stealer malware further, although we will be sharing our findings into this case in the very near future.
Sneaky stealer: Analyzing the payload
The VietCredCare information stealer for Windows operating system, developed in .NET, operates by deceiving users into running a file (payload) that is masqueraded as a piece of legitimate software. An example of this functionality is demonstrated below.
Figure 6. Demonstration of VietCredCare’s ability to masquerade itself as a legitimate PDF file, as shown in a YouTube video advertising the malware.
A variant of the VietCredCare information stealer was flagged as malicious during scanning using Group-IB Managed XDR’s Malware Detonation Platform, which runs suspicious files and links in a virtual environment to monitor malicious activities and attack scenarios securely. Additionally, the platform generates comprehensive detonation reports aiding analysts in pinpointing infection sources and grasping the stealer’s characteristics.
Figure 7. Results of detonating and analyzing a malicious archive. Source: Group-IB Managed XDR interface
Upon execution, VietCredCare ingeniously creates a self-replicating copy of itself named as “crsysys.exe” in the %STARTUP% folder. Notably, this information stealer operates without requiring any input via command-and-control (C2) server to initiate the launch of a payload.
Figure 8. Ensuring persistence in the target system for the payload. Source: Group-IB Managed XDR interface
A report generated by Group-IB Malware Detonation Platform also contains a plethora of valuable behavioral insights acquired during the execution and analysis of VietCredCare stealer. One of its primary functionalities is the ability to extract data from globally popular browsers such as Chrome, Chromium, and MS Edge, along with the Vietnam-specific Cốc Cốc.
All data stolen from an infected device is discreetly sent to a Telegram bot, from where it becomes accessible to the threat actor. During the course of their research, Group-IB experts discovered more than 20 separate Telegram bots, leveraging the messenger’s API functionality, that were utilized for this purpose.
Tactics and techniques used in the campaign, presented as a below MITRE ATT&CK matrix:
Figure 9. MITRE ATT&CK Matrix. Source: Group-IB Managed XDR interface
As mentioned above, VietCredCare is able to steal data such as session ID, cookies, and passwords from the browsers of infected devices, but it also has some other interesting functionalities that are worth exploring further, such as:
Retrieve victim’s IP address using external resources
This is done by sending a HTTP request to hxxps://ipinfo[.]io/ip
![a HTTP request to hxxps://ipinfo[.]io/ip](https://website.cdn.group-ib.com/wp-content/uploads/10-12.webp?x23530)
Figure 10. VietCredCare network activities. Source: Group-IB Managed XDR interface
Identify Facebook accounts and whether they are business profiles
Figure 11. VietCredCare Facebook checking activity. Source: Group-IB Managed XDR interface
If VietCredCare discovers that a browser session in Facebook was still in process, the malware is able to assess whether it is a business account by performing a HTTP request using a custom agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Once a request to hxxps://business[.]facebook[.]com/content_management/ is performed, the access token and information about the managed groups and the Meta ad credit balance of the account will be extracted from this page and sent to a Telegram bot in order to be accessed by the threat actor.
Identify folder path with browser profile and exfiltrate cookies and login data
According to Group-IB Managed XDR’s Malware Detonation Report of a sample of VietCredCare, the credential access can be demonstrated as follows:
Figure 12. How VietCredCare accesses cookie files, using Chrome as an example. Source: Group-IB Managed XDR’s Malware Detonation Report.
Similarly, the source code also reveals the ability to exfiltrate data from the following file paths, corresponding to each different browser.
Cốc Cốc: *%AppData%\Local\CocCoc\Browser\User Data*
Chrome: %AppData%\Local\Google\Chrome\User Data
Chromium: %AppData%\Local\Chromium\User Data\User Data
Edge: \Local\Microsoft\Edge\User Data
Assess whether Facebook accounts are managing any advertisements
VietCredCare’s most notable functionality is its ability to assess whether a Facebook account is currently administering any advertisements. This is communicated to the threat actor via a message posted from Telegram bot as indicated below.
%IP%
Đã kiểm tra tài khoản quảng cáo xong
số lượng quảng cáo = 0 + %FACEBOOK_DATA%.
(Translation:
%IP%
Checking Facebook Ads account has been checked
Number of ads = 0 + %FACEBOOK_DATA%)
The “checks” conducted by VietCredCare, as indicated in the above message, including assessing whether the account has a positive Meta ad credit balance.
Evasion tactics
In most cases, VietCredCare is packed before it is distributed. As a result, once it is launched on the victim’s device, it not only executes the information stealer, but it also performs the following evasion techniques:
- Add itself to the exclusion list of Windows Defender
- Disables AMSI functionality
Group-IB researchers note that the first samples of VietCredCare were discovered in August 2022. It is our assertion that, at the present time, the information stealer is continuing to be developed, and it is also still being actively promoted on Telegram and other platforms.
The data handler: VietCredCare’s Telegram bots
VietCredCare’s Telegram bot functionalities play a crucial role in the data exfiltration process. The primary function of this bot, apart from informing about the presence of Facebook account credentials in the stealer logs, is to receive the stolen data. This data is converted into two text files (.txt) containing cookies and passwords from compromised devices. The bot also manages the communication between the malware’s developers and buyers.
During the data exfiltration process, the threat actor first receives a message informing of the number of Facebook accounts present in the logs (detailed above).
The threat actor then receives a second message, which includes an attachment of a .txt file that contains the browser cookies exfiltrated from the infected device. These files have the naming convention:
%COMPUTERNAME% + “–COOKIES-.txt”
The final message in this thread contains the compromised passwords stolen from the browsers of infected devices. This is also sent in a .txt file, with the naming pattern:
%COMPUTERNAME% + “–PASS-.txt”
Figure 13. Example of .txt file containing credentials stolen by VietCredCare from the browsers of an infected device
This workflow was advertised to potential VietCredCare customers in several advertisement videos that were uploaded to YouTube, along with posts on Facebook (see Figure 14 below). The advertisements are in the Vietnamese language.
Figure 14.1. Advertisement posted on Facebook detailing VietCredCare’s Telegram bot workflow.
Figure 14.2. Screenshot of a YouTube video advertising VietCredCare demonstrating an example how victims’ credentials can be presented to the buyer.
Figure 14.3. Screenshot of a YouTube video advertising VietCredCare demonstrating an example how victims’ credentials can be presented to the buyer.
A Vietnamese stealer?
Given the amount of Vietnamese-language text that features not only in the Telegram bot communications, but also in the social media posts and videos advertising the information stealer to potential buyers, Group-IB investigators concluded that Vietnamese-speaking individuals are likely responsible for both the creation and development of VietCredCare. It is also highly likely that Vietnamese-speaking individuals are the primary buyers of the malware.
The bulk of the victims – individuals whose devices were infected with VietCredCare and whose credentials were exfiltrated – were also from Vietnam.
Group-IB experts were able to analyze the geographical scope of VietCredCare’s attacks in Vietnam, revealing victim IP addresses from 44 out the 63 Vietnamese provinces. These victims were concentrated in the country’s major cities as Figure 15 (below) illustrates. More than half of the victims had Hanoi-based IP addresses, with a third IP addresses linking them to Ho Chi Minh City.
All this information led Group-IB investigators to conclude that VietCredCare is primarily used against individuals based in Vietnam, with the prime target being individuals who manage the profiles of prominent businesses and organizations in the country.
Figure 15. List of VietCredCare victims by IP address
Conclusion
The information stealer codenamed VietCredCare is a sophisticated piece of malware offered under the stealer-as-a-service business model. Group-IB High-Tech Crime Investigation unit’s detailed study uncovered a complex web of connections between the malware’s developers, buyers, and victims. VietCredCare is still being actively promoted within the Vietnamese cybercriminal underworld, meaning that the information stealer is still likely to pose a threat over the coming months.
VietCredCare’s core function – to harvest and exfiltrate cookies and credentials – poses severe risks to organizations in both the Vietnamese public and private sector. The information stealer’s ability to automatically filter out Facebook account data and checking for Meta Ad credits simplifies the task for cybercriminals looking for an easy way to take over Facebook accounts with a large audience base in order to pursue their politically- or financially-motivated schemes.
Account takeover, especially if a cybercriminal publishes posts purportedly in the voice of a legitimate organization, poses severe reputational and financial risks for companies. As a result, Group-IB investigators notified Vietnamese Law Enforcement agencies of their findings, as part of our commitment to combating cybercrime in all its forms.
As we will disclose in the very near future, VietCredCare is just one of a number of information stealers targeting users in Vietnam, so the risks are acute.
The stealer-as-a-service business model enables threat actors with little to no technical skills to enter the cybercrime field, which results in more innocent victims being harmed. That is why it is important to protect society by identifying actors behind and dismantling their services. Group-IB’s High-Tech Crime Investigations experts are ready to assist law enforcement agencies and attacked organizations in identification of threat actors even in the most sophisticated schemes.
