Phishing Campaigns Exploit CapCut’s Popularity to Deliver Multiple Stealers
Cyble Research and Intelligence Labs (CRIL) recently discovered a series of phishing websites posing as video editing software. These fraudulent sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors (TAs) specifically targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.
The increasing popularity of the application in various countries has made it an appealing lure for TAs over the past few years. Furthermore, with the ban imposed on CapCut by Taiwan, India, and several other countries, users might actively pursue alternative means to download the application, unknowingly putting themselves at risk of encountering these malicious websites.
Several TAs have been utilizing the CapCut phishing website as a platform to disseminate various malware families. One notable instance involved a phishing website hosting the Offx stealer, while in another campaign, a phishing website served as a host for BatLoader, subsequently delivering the redline stealer onto the targeted systems.
Technical Analysis
The stealer binary (SHA 256: 8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c) is compiled using PyInstaller indicating that the stealer is coded in Python.
The figure below shows the file details.
The executable has been compiled using Python 3.9 and packaged through PyInstaller, restricting its execution to Windows 8 and newer versions.
After successfully extracting the installer, accessing the underlying Python script becomes feasible. The main.py code within the script imports the Fernet class from the cryptography.fernet module and performs the decryption.
The image below displays the raw content of the Python script.
After decrypting the content, the main functionality of the Offx Stealer is composed of various sub-functions, namely message, passwords, cookies, screen, zipper, send_message, and rm.
The image below presents a partial view of the decrypted script.
Each of these functions serves a distinct purpose and contributes to the overall functionality of the Offx Stealer. Additionally, before initiating the stealing activity, the malware creates a directory with a randomly generated name in the %appdata% location to save the stolen data from the victim’s machine.
Message
Upon execution, the stealer executes a message() function, which displays a message box to the user. The message box contains the error message “The application could not start correctly (0xc0000142). Click OK to close the application.”
It is likely used as a deceptive technique to trick users into believing that there is an issue with the application or system, prompting them to act or close the application. The below figure shows the Fake Message box.
Passwords
The function reads and parses through the ‘Local State’ file of multiple browsers specified in the table below. The ‘Local State’ file contains encrypted keys that browsers use to decrypt information from their respective ‘Login Data’ files. The function extracts the encrypted key from the ‘Local State’ file and decrypts it using the win32crypt.CryptUnprotectData() function. This decryption process yields the master key necessary for decrypting the login information stored in the respective browser’s ‘Login Data’ files.
| Torch | Kometa | Orbitum |
| Cent-browser | A7star | Sputnik |
| Vivaldi | GoogleSxS | Google-chrome |
| Epic-privacy-browser | Microsoft | Uran |
| Yandex | Brave | Iridium\OperaGx |
| Opera | ||
After obtaining the master key, Offx Stealer gains access to the ‘Login Data’ file, located at “AppData\Local\Browser-Name\User Data\Default\Login Data”. This file stores usernames and passwords for various websites in SQLite format. To extract the credentials from the Login Data file, the malware executes a SQL query targeting specific fields such as:
- action_url
- origin_url
- username_value
- password_value
The harvested information is subsequently stored in a text file named “Passwords[{browser-Name}].txt” within a randomly generated directory that was created in the initial stage, located in the “%appdata%” directory.
Cookies
Offx Stealer also retrieves data from the cookie files located at “AppData\Local\Browser-name\User Data\Default\Network\Cookies”. It executes an SQL query to extract specific fields, such as
- host_key, name
- encrypted_value
By querying and extracting data from these fields, the malware can gather information from the cookie files, including session data, authentication tokens, or other user-specific information associated with websites visited by the victim. The extracted information is then saved in a file named “Cookies[{browser-Name}].txt”.
Screen (Grabber)
The “screen” function captures a screenshot using the ImageGrab module and saves it as “DesktopScreen.jpg” within a randomly generated directory created in the %appdata% location.
Offx Stealer specifically targets messaging applications like Discord and Telegram. It also targets remote desktop applications such as UltraViewer and AnyDesk and various cryptocurrency wallet apps like Exodus, Atomic, Ethereum, Coinomi, Bytecoin, Guarda, and Zcash. The primary objective of Offx Stealer is to extract sensitive information from these targeted applications.
To achieve this, Offx Stealer attempts to retrieve and create ZIP archives for each targeted application folder in the following format and saves them in the randomly generated folder created in the %appdata% location for exfiltration.
- \\Application-Name\\Application-Name.zip
The below image shows the targeted applications and their paths.
Next, the stealer proceeds to scan the user’s Desktop for files with specific extensions, including .txt, .lua, .pdf, .png, .jpg, .jpeg, .py, .cpp, and .db. It then copies these identified files and moves them for exfiltration.
Finally, the malware gathers system information and stores it in a text file named “OS-Info[ip_ip-address].txt” within the randomly generated folder. This file contains details such as the operating system, machine type, version, processor information, as well as the current date and time. The image below illustrates the newly generated files that contain the extracted stolen information from the victim’s machine.
Zipper and Send Message
After gathering all the necessary data, the stealer proceeds to create a compressed ZIP file. The name of this ZIP file is generated by combining the user name, country, and a random string in the format “{User_Name}_{country}_{random_str}.zip”. All the files that have been previously obtained are included in this final ZIP archive.
Using the final ZIP file, the stealer proceeds to exfiltrate the data through the Telegram channel. This is achieved by making a POST request and including the final ZIP as an attachment. If the data is successfully transmitted via Telegram, a message is sent to the TAs containing additional information such as the country, IP address, and current time.
If transmitting the final ZIP file through Telegram encounters an error, the stealer employs AnonFiles as an alternative method. AnonFiles is a file hosting service designed for anonymous file storage and sharing. It provides a platform for the stealer to securely store and share the ZIP file without revealing the uploader’s identity.
The stealer takes measures to conceal its activities as a final step by deleting the randomly generated directory created in the %appdata% location. This directory was previously utilized to store all the pilfered information, and its removal helps to conceal the traces of the stolen data.
BATLoader Campaign
During the investigation, CRIL discovered another website called capcut-freedownload[.]com. This website hosts a rar archive file named CapCut_Pro_Edit_Video.rar. Inside the archive, there is a batch script named CapCut_Pro_Edit_Video.bat. The batch file has a SHA256 hash value of 3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c. Notably, at the time of analysis, the batch file had not been detected by any antivirus engine, as shown below.
The below figure shows the phishing site hosting BAT Loader.
After executing the BAT file, it triggers a Powershell script that executes a sequence of actions. These actions involve decryption, decompression, and loading the final payload as a .NET assembly. In this particular campaign, the BAT Loader drops two executables: the Redline Stealer and a .NET executable file responsible for performing an Antimalware Scan Interface (AMSI) bypass.
The entire process of this operation is described in detail in the accompanying figure.
RedLine Stealer is malicious software that extracts sensitive data from web browsers, including stored credentials, autocomplete information, and credit card details. When deployed on a target system, RedLine Stealer also conducts a comprehensive system inventory, collecting data such as the username, location, hardware configuration, and information about installed security software.
Conclusion
Taking advantage of the growing popularity of new applications, threat actors (TAs) such as the ones behind CapCut are actively exploiting the excitement surrounding them. They specifically target unsuspecting users by distributing fraudulent and malicious applications. This trend is particularly evident with CapCut users, as TAs continuously focus their efforts on targeting them by deploying malicious phishing websites.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
- The initial infection may happen via spam emails or phishing websites, so enterprises should use security products to detect phishing emails and websites.
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1059 T1204 | Command and Scripting Interpreter User Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1555 T1539 T1552 T1528 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token |
| Collection | T1113 | Screen Capture |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
| Command and Control | T1095 T1071 | Non-Application Layer Protocol Application Layer Protocol |
| Exfiltration | T1567 T1041 | Exfiltration Over Web Service Exfiltration Over C&C Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c 558d420e943e28399915ff504be8b188b7445296 fc959c2a5b46b1b51003c688cdc384fa | Sha256 Sha1 Md5 | Offx Stealer |
| e9e17c06b5fb1dd95e9622703f8ea55be67ceb6435e7aba688784a854c85aef2 b8725a0c47ac37475134996bb1711f61ce73279e 7876ff8df973e126f512169fb021c85a | Sha256 Sha1 Md5 | Offx Stealer |
| capcut-freedownload[.]com | Domain | Phishing websites |
| capcutfreedownload[.]com | Domain | Phishing websites |
| capcut-editor-video[.]com | Domain | Phishing websites |
| capcutdownload[.]com | Domain | Phishing websites |
| capcutpc-download[.]com | Domain | Phishing websites |
| 3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c bd62756f0c9a7b1351d95a4f89e4a2703fe3e8b1 8eac2855d5a48ec13d6d71a463f40e27 | Sha256 Sha1 Md5 | BATLoader Batch File |
| 0e06d91d1d9e7cecc1c2553076fd0df71fc4fe2081b7bd0b6dd25b0ce6b98788 825c448b5ef5f85e13aae802ca31532f0cf3cae4 ae9ca12bd7d797aa7dc7fe4b8584251f | Sha256 Sha1 Md5 | RedLine Stealer |
| e68c2cb879dfb35b9685e966ec0e9f461d2085e67a284888bf2deec93040359c 9f68f5c80fbf35cce6f3a1309ae4ef1acd81f631 919892434c49fa33abb1fa9eae64355c | Sha256 Sha1 Md5 | AMSI Bypass Executable |
