A brand new malware distribution marketing campaign is underway impersonating the CapCut video modifying device to push numerous malware strains to unsuspecting victims.
CapCut is ByteDance’s official video editor and maker for TikTok, supporting music mixing, colour filters, animation, slow-mo results, picture-in-picture, stabilization, and extra.
It has over 500 million downloads on Google Play alone, and its web site receives over 30 million hits month-to-month.
The applying’s reputation, mixed with nationwide bans in Taiwan, India, and different locations, has pushed customers to hunt alternative routes of downloading this system.
Nevertheless, menace actors exploit this by creating web sites that distribute malware disguised as CapCut installers.
The malicious web sites had been found by Cyble, which experiences seeing two campaigns distributing totally different malware strains.
No particular details about how victims are directed on these websites was offered, however sometimes, menace actors use black hat search engine optimisation, search adverts, and social media to advertise the websites.
Supply:Â BleepingComputer
The offending web sites are:
- capcut-freedownload[.]com
- capcutfreedownload[.]com
- capcut-editor-video[.]com
- capcutdownload[.]com
- capcutpc-download[.]com
On the time of writing, all domains have since been taken offline.
First marketing campaign
The primary marketing campaign noticed by Cyble’s analysts makes use of faux CapCut websites that includes a obtain button that delivers a replica of the Offx Stealer on the consumer’s laptop.
The stealer binary was compiled on PyInstaller and can solely run on Home windows 8, 10, and 11.
When the sufferer executes the downloaded file, they get a bogus error message claiming that the launch of the appliance has failed. Nevertheless, Offx Stealer continues to function within the background.
The malware will try and extract passwords and cookies from net browsers and particular filetypes (.txt, .lua, .pdf, .png, .jpg, .jpeg, .py, .cpp, and .db) from the consumer’s desktop folder.
It additionally targets knowledge saved in messaging apps like Discord and Telegram, cryptocurrency pockets apps (Exodus, Atomic, Ethereum, Coinomi, Bytecoin, Guarda, and Zcash), and distant entry software program like UltraViewer and AnyDesk.
All stolen knowledge is saved in a randomly generated listing within the %AppData% folder, zipped, after which despatched to the malware operators on a non-public Telegram channel. The menace actors additionally use the AnonFiles file internet hosting service for redundancy within the exfiltration step.
After the stolen recordsdata are transmitted to the attackers, the native listing created for quickly internet hosting the info is deleted to wipe any traces of the an infection.
Second marketing campaign
The second marketing campaign involving faux CapCut websites drops a file named ‘CapCut_Pro_Edit_Video.rar’ on the victims’ gadgets, containing a batch script that, in flip, triggers a PowerShell script when opened.
Cyble says that on the time of its evaluation, no antivirus engines would flag the batch file as malicious, so the loader may be very stealthy.
The PowerShell script decrypts, decompresses, and masses the ultimate payload: Redline Stealer and a .NET executable.
Redline is a extensively deployed info stealer that may seize knowledge saved in net browsers and functions, together with credentials, bank cards, and auto-complete knowledge.
The position of the .NET payload is to bypass the AMSI Home windows safety characteristic, permitting Redline to function undetected on the compromised system.
To remain protected from malware, obtain software program immediately from official websites fairly than websites shared in boards, social media, or direct messages, and in addition be sure that to keep away from promoted outcomes when trying to find software program instruments on Google.
On this case, CapCut is out there via capcut.com, Google Play (for Android), and the App Retailer (for iOS).
