Tracing the Path of VietCredCare and DuckTail: Vietnamese dark market of infostealers’ data

Category	Details
Threat Actors	VietCredCare and DuckTail operators (believed to be Vietnamese).
Campaign Overview	Two distinct malware families, VietCredCare and DuckTail, targeting Facebook Business accounts. VietCredCare has seen reduced activity due to law enforcement action, while DuckTail continues to operate.
Target Regions (Victims)	VietCredCare primarily targets Vietnam; DuckTail targets victims outside of Vietnam.
Methodology	Both malware families use spear-phishing and social engineering to deliver malware. VietCredCare uses common messaging apps, while DuckTail employs LinkedIn and cloud storage services for distribution.
Product Targeted	Facebook Business accounts (credentials and session cookies).
Malware Reference	VietCredCare, DuckTail
Tools Used	.NET for development, Telegram API for exfiltration, cloud storage services (Dropbox, Mega, iCloud) for malware distribution.
Vulnerabilities Exploited	No specific vulnerabilities exploited; both use social engineering for delivery.
TTPs	– Spear-phishing via LinkedIn, WhatsApp, Messenger, Zalo, email – Malware disguised as trusted software or professional offers – Telegram API for exfiltration
Attribution	VietCredCare and DuckTail are believed to be operated by Vietnamese threat actors.
Recommendations	– Awareness of social engineering tactics (LinkedIn, cloud storage links) – Monitor for suspicious Telegram activity – Use advanced detection for phishing and credential theft
Source	Group-IB

Read full article: https://www.group-ib.com/blog/tracing-the-path-of-vietcredcare-and-ducktail/

Disclaimer: The above summary has been generated by an AI language model