New ‘VietCredCare’ Stealer Targeting Facebook Advertisers in Vietnam

New ‘VietCredCare’ Stealer Targeting Facebook Advertisers in Vietnam

Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed VietCredCare at least since August 2022.

The malware is “notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance,” Singapore-headquartered Group-IB said in a new report shared with The Hacker News.

Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain.

VietCredCare is offered to other aspiring cybercriminals under the stealer-as-a-service model and advertised on Facebook, YouTube, and Telegram. It’s assessed to be managed by Vietnamese-speaking individuals.

VietCredCare Stealer

It can also retrieve a victim’s IP address, check if a Facebook is a business profile, and assess whether the account in question is currently managing any ads, while simultaneously taking steps to evade detection by disabling the Windows Antimalware Scan Interface (AMSI) and adding itself to the exclusion list of Windows Defender Antivirus.

VietCredCare is also the latest addition to a long list of stealer malware, such as Ducktail and NodeStealer, that has originated from the Vietnamese cyber criminal ecosystem with the intent of targeting Facebook accounts.

That having said, Group-IB told The Hacker News there is no evidence at this stage that suggests connections between VietCredCare and the other strains.

“The stealer-as-a-service business model enables threat actors with little to no technical skills to enter the cybercrime field, which results in more innocent victims being harmed.”