| Category | Details |
|---|---|
| Threat Actors | VietCredCare and DuckTail operators (believed to be Vietnamese). |
| Campaign Overview | Two distinct malware families, VietCredCare and DuckTail, targeting Facebook Business accounts. VietCredCare has seen reduced activity due to law enforcement action, while DuckTail continues to operate. |
| Target Regions (Victims) | VietCredCare primarily targets Vietnam; DuckTail targets victims outside of Vietnam. |
| Methodology | Both malware families use spear-phishing and social engineering to deliver malware. VietCredCare uses common messaging apps, while DuckTail employs LinkedIn and cloud storage services for distribution. |
| Product Targeted | Facebook Business accounts (credentials and session cookies). |
| Malware Reference | VietCredCare, DuckTail |
| Tools Used | .NET for development, Telegram API for exfiltration, cloud storage services (Dropbox, Mega, iCloud) for malware distribution. |
| Vulnerabilities Exploited | No specific vulnerabilities exploited; both use social engineering for delivery. |
| TTPs | - Spear-phishing via LinkedIn, WhatsApp, Messenger, Zalo, email - Malware disguised as trusted software or professional offers - Telegram API for exfiltration |
| Attribution | VietCredCare and DuckTail are believed to be operated by Vietnamese threat actors. |
| Recommendations | - Awareness of social engineering tactics (LinkedIn, cloud storage links) - Monitor for suspicious Telegram activity - Use advanced detection for phishing and credential theft |
| Source | Group-IB |
Read full article: https://www.group-ib.com/blog/tracing-the-path-of-vietcredcare-and-ducktail/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply