From Vietnam to United States: Malware, Fraud and Dropshipping

g0njxa
8 min readApr 16, 2024

--

A quick overview on the Vietnamese cybercrime landscape, spending millions of dollars in fraud activities.

Introduction

In the past days I’ve been observing a rise in Vietnamese-based malware being reported on Twitter.

One of the most recent examples is what is known as Braodo Stealer, samples reported by our beloved CTI guy @suyog41

As you can see, this is a Python-based stealer managed by a Telegram bot. It has a special focus on Facebook cookies, but it also collects other cookies and credentials saved in browsers. The logs of victims look like this:

About the sample shared before, logs are managed by “bot_cutedzvcbot” and sent to a private group, like this:

A total of 85 unique victim logs were found in this chat; find the IP summarization here:

IP Summarization Results of 85 IPs — IPinfo.io

I left a message on the title of the bot, requesting to be contacted by them (whoever is using the bot) so we can have a talk! And I got a message back.

Despite the fact that he admitted he “wanted to do business” and “If I can assign him to work”,

He ended up saying he was operating the Telegram bot, for “trolling” purposes… (He was calling me “pro”)

Not much interested in this threat actor, let’s focus on another finding…

The dumper guy — Interview

Seems like before this malware sample came to us (Infosec Twitter), some Vietnamese guy found it (at December 17th, 2023 because of the date of logs) and left some messages in the chat:

So I decided to send him some messages, and agreed a brief interview:

@scanhihihi2 ~ The interview was made in Vietnamese. Since I was using a translator, I will post both original and english (translation) messages.

I want to know how it works :)

Ăn cắp dữ liệu từ máy tính

I know
but what do you do with a Facebook account

Bán

They do Facebook ads

Đúng

What do they advertise?

All
Bán hàng
Hoặc chạy thuê
Và tất cả chi phí thanh toán
Đều dùng thẻ của người khác thanh toán

Do they sell products? or there are fake stores

Cửa hàng thật

Can’t afford real ads? 😂😂

Đủ nhưng họ thích chạy quảng cáo mà không mất tiền
Bán hàng cho người dân mỹ

and how you name the thief app
we call it BRAODO
and you ?

Botnet anh bạn à

such a boring name

Nhàm chán nhưng nó đã mang lại lợi nhuận cao cho người sử dụng nod
Trung bình 500k- 1m$
Mỗi tháng
Đôi khi là vài ngày anh bạn à

This is allegedly the benefit of one day of running these ad campaigns. In fact, this belongs to a dropshipping campaign (he will say this later).

What is dropshipping?

Dropshipping is an order fulfillment method where a business doesn’t keep the products it sells in stock. When an order is received, the seller sends it to another company who ships the product straight to the customer. The seller is a middleman between the customer and the company with the product.

Source: What Is Dropshipping and How Does It Work? (2024) — Shopify

Based on the picture, and if we were talking about only one product, he had 7157 orders at $43.24 each one. This product has a cost of $1.42, and that’s ~30.45 times its value. #Dropshipping

and how much people pay you

60% tổng lợi nhuận
Hoặc
So với tài khoản quảng cáo
10% ngưỡng thanh toán

Profit 60% or 10% of real value
cheap

Đúng rồi

Choosing payment as a cut from profits secures benefit from my dropshipping campaign.

Based on the numbers above, if I were a client of this guy I owe him $185,681 if I had chosen this payment method, and I would have got a profit of $123,787. Of course, with thousands of fraudulent dollars spent in massive ad campaigns.

I want to see what people buy
to earn so much money
to see what Americans buy

À rất nhiều sản phẩm
Theo thời theo mùa theo trend
Nó dạng
Dropshipping

The demo post shared with me was this:

Source: facebook.com/100063724800909/posts/933433958790756/
Source: litechstore.com/products/smartwatchdeal

And seems like this is a popular item because you can fins dozens of similar pages selling the same item (based on the same picture).

Of course, with a quick search you can find the same product 4 times cheaper at some Chinese supplier website, #dropshipping

https://www.alibaba.com/product-detail/Wholesale-noise-android-water-proof-combos_1600940288045.html

Dropshipping provides these guys clean benefits, after running massive ad campaigns with stolen money. A really profitable criminal activity.

Facebook & Facebook & more Facebook

I could identify some more compromised Facebook accounts involved in this dropshipping campaign using ads:

https://www.facebook.com/daniloautosales
https://www.facebook.com/muebleriachristami
https://www.facebook.com/easytechingenieria
https://www.facebook.com/bangbangbuy
https://www.facebook.com/Lachianclothing
https://www.facebook.com/Almarelmasnou
https://www.facebook.com/people/TECH-HAVEN/61551563596502
https://www.facebook.com/umbalove
https://www.facebook.com/CHIPAVTOKLUCH
https://www.facebook.com/mareasavona
https://www.facebook.com/marehotelsavona
https://www.facebook.com/usbiketravel
https://www.facebook.com/MG.MirameLenceria
https://www.facebook.com/people/Anta-Group/61555995638804/

And more shops selling the same product:

https://geheathcarestore.com/products/smartwatch
https://smartwatch.happygalaxyshop.com
https://holddealfortoday.com/product/bluetoothwatch03/

But not only sales, we have also malware spread in Facebook!!!!

If we take a close look on the previous account, we can see a suspicious post created recently that is not featuring any shop BUT a download of a software from a website...

Website: sora-6b494.web.app (SoraAi (archive.org))

Download from: /cdn-gg.b-cdn.net/Sora%20-%20OpenAi%20v1.1.1.zip

Find it at MalwareBazaar | SHA256 081b2455cbf464eee43082d023137137eaf43b7a6e1f475feeb75b7cdaaa4cac (abuse.ch)

Indeed, it behaves like a stealer but seems like c2 is not working

Find detonation here ( hxxp://sora-6b494[.]web[.]app | Triage)

Interesting checker.sh connection from this sample (META = Facebook)

Sadly, I can’t deep more into this.

Marketplaces

There is a recent research blog by Chetan Raghuprasad, Joey Chen from Cisco Talos Intelligence featuring a Vietnamese malware operator campaign:

CoralRaider targets victims’ data and social media accounts (talosintelligence.com)

The fact is that as shown in the blog, seems like these users relies in Telegram communities to develop its activities.

For example the interviewed guy was part of one of those groups

We can also find proofs for these Facebook activities and the amounts that these guys are spending on ads, for example:

Amount Spending: $200716
Amount Spending: $45174
Amount Spending: 92248 €
Amount Spending: 107748 €

Furthermore, what it seems like a summarization

A total spent amount of $670710 United States Dollars, apparently only by one individual.

I’ve been also through some websites announcements, featuring sales of credit cards from United States:

But the websites look like this:

I don’t really know how widespread is the usage of similar website services by the people running these Facebook ads campaigns, but it seems like they are featured in most of the Facebook ads telegram groups.

The administrator of one of these sites was asked about his website about the usage of the stolen goods he was selling:

There is a strong carding community in the Vietnamese landscape, active as per today and generating millions of dollars of loses, with an special obsession on the United States people.

The end

Best regards,

@g0njxa

--

--

g0njxa
g0njxa

No responses yet