Researchers from Group-IB have revealed new findings highlighting significant differences in the methods and structures of two prominent infostealer malware families, VietCredCare and DuckTail.
Both have been central to the cybercrime ecosystem in Vietnam, targeting Facebook Business accounts for financial gain.
The new analysis follows a mid-2024 announcement from Vietnamese authorities regarding the arrest of over 20 individuals involved in distributing and operating these malicious programs. The initial crackdown disrupted the activities of VietCredCare and DuckTail, though the latter remains active with ongoing campaigns.
Key Differences Between VietCredCare and DuckTail
According to the advisory published by Group-IB earlier today, there are some key differences between the two malware tools.
Distribution Tactics
-
VietCredCare: Operated as malware-as-a-service and often disguised as trusted applications such as Excel or Acrobat Reader. It was spread through Facebook Messenger, Zalo and email
-
DuckTail: Delivered via spear-phishing campaigns on LinkedIn and WhatsApp, with attackers posing as recruiters or marketers. Malware links were hosted on resilient platforms like Dropbox, Mega, Microsoft OneDrive and iCloud
Target Markets
-
VietCredCare: Focused on harvesting local Vietnamese Facebook accounts for resale to domestic cybercriminal networks
-
DuckTail: Prioritized high-value international Facebook Business accounts, exploiting them for unauthorized advertising campaigns
Technical Architecture
-
VietCredCare: Limited its functionality to extracting specific Facebook account details
-
DuckTail: Included advanced features, such as bypassing two-factor authentication and encrypting stolen data before exfiltration
Monetization Strategies
Both malware families use Telegram channels for exfiltration and monetization. VietCredCare operators sold raw account data and rented botnets, while DuckTail actors leveraged stolen Facebook Business Manager accounts to run fake online stores and advertising campaigns, generating significant profits.
Outlook on Facebook Malware in Vietnam
Group-IB warned that while VietCredCare campaigns have declined since the arrests, DuckTail remains active, showcasing updated techniques. The researchers warned of a growing ecosystem in Vietnam, with new infostealer variants emerging to meet the demand for stolen Facebook accounts.
Group-IB also advised users to enhance their digital security by enabling two-factor authentication, monitoring account activity and promptly addressing unusual behavior.