As the popularity of the CapCut video editing tool continues to soar, with features such as background removal with over 200 million monthly active users in the US alone, threat actors (TAs) have seized the opportunity to exploit video editors with CapCut phishing websites.
Cyble Research and Intelligence Labs (CRIL) recently discovered a series of phishing websites impersonating CapCut, tricking unsuspecting victims into installing malware such as Stealers and BatLoader.
Since countries like the USA, India and Taiwan have started banning or limiting the use of Chinese-origin apps like CapCut, netizens are looking for alternative ways to edit their videos.
Unfortunately, this has inadvertently exposed them to the risks of ending up on fraudulent websites masquerading as legitimate CapCut download resources.
CapCut phishing website scams: How does it work?
In order for these CapCut phishing website scams to work, threat actors have employed the use of phishing websites that come preloaded with malware, RATs, and other malicious applications.
The CRIL team also found traces of multiple stealers like Offx, redline stealers and more in their research. The main purpose of these stealers is to collect information about the victim and use it for malicious purposes.
The security researchers conducted an in-depth analysis of the modus operandi of these CapCut phishing website scams. The threat actor uses Python programming language to target its victims, and one of the stealer binary identified, with a SHA256 hash of 8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c, was compiled using PyInstaller.
The compiled executable, which is only available for Windows 8 and later, uses Python 3.9 and is packaged with PyInstaller. This encryption restricts the malware’s execution to specified operating systems.
Researchers found access to the underlying Python script after successfully extracting the installation.
Notably, the script’s main.py file imports the Fernet class from the cryptography.fernet module and performs decryption operations.
According to the report, another stealer used in the CapCut phishing website scams, Offx Stealer, also uses the same methodology to target its victims.
The Offx Stealer demonstrates various sub-functions that contribute to its overall functioning. The message, passwords, cookies, screen, zipper, send_message, and rm are examples.
The message function begins a deceitful tactic by presenting to users a fake error message that reads, “The application could not start correctly (0xc0000142).” This tactic attempts to dupe users into thinking there is a problem with the application or their system, prompting them to take action or close the application.
The passwords function targets a variety of browsers, processing their ‘Local State’ files for encrypted keys.
These keys are then encrypted, providing the master key required to access login information contained in the individual browser’s ‘Login Data’ files. The stolen information is kept in a text file called “Passwords[browser-Name].txt.”
Offx Stealer also obtains data from targeted browser cookie files, retrieving crucial information such as session data and authentication tokens. This information is saved in a file called “Cookies[browser-Name].txt.”
The screen function uses the ImageGrab module to take a screenshot, which is subsequently stored as “DesktopScreen.jpg” in a randomly generated directory in the%appdata% directory.
CapCut phishing website scams and stealers
The threat actors specifically target cryptocurrency wallet apps like Exodus, Atomic, Ethereum, Coinomi, Bytecoin, Guarda, and Zcash.
To extract sensitive information from these applications, the stealer attempts to create ZIP archives for each targeted application folder, saving them in the randomly generated directory within the %appdata% location. It also scans the user’s Desktop for specific file extensions and copies them for exfiltration.
The gathered system information, including operating system details, machine type, processor information, and current date and time, is stored in a text file named “OS-Info[ip_ip-address].txt.”
After collecting all the necessary data, the stealer creates a compressed ZIP file with a unique name combining the user’s name, country, and a random string. This final ZIP archive includes all the previously obtained files.
The stealer then attempts to exfiltrate the final ZIP file through a Telegram channel using a POST request with the ZIP file attached.
In case of transmission errors, the stealer resorts to AnonFiles, an anonymous file hosting service, to securely store and share the ZIP file without revealing the uploader’s identity.
To cover its tracks, the stealer deletes the randomly generated directory used to store the stolen information, effectively concealing the traces of the pilfered data.
BATLoader campaign and RedLine stealer
While investigating these CapCut phishing website scams, CRIL stumbled upon capcut-freedownload[.]com, a website hosting a rar archive file named CapCut_Pro_Edit_Video.rar. Inside the archive, a batch script named CapCut_Pro_Edit_Video.bat was discovered.
This batch file, with a SHA256 hash value of 3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c, went undetected by antivirus programs, and security tools.
RedLine Stealer, a malicious software, extracts sensitive data from web browsers, including stored credentials and credit card details. It also gathers system inventory information, such as usernames, location, hardware configuration, and installed security software.
With the surge in popularity of new applications, threat actors are taking advantage of users’ excitement, targeting them through fraudulent and malicious means.
CapCut users, in particular, face an increased risk due to the proliferation of CapCut phishing website scams. Users must exercise caution while downloading applications and ensure they obtain them from legitimate sources.
Staying vigilant and maintaining up-to-date security measures will help protect against the rising tide of phishing campaigns and malware threats.