Cyble – CapCut Users Under Fire

Phishing Campaigns Exploit CapCut’s Popularity to Deliver Multiple Stealers

Cyble Research and Intelligence Labs (CRIL) recently discovered a series of phishing websites posing as video editing software. These fraudulent sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors (TAs) specifically targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.

The increasing popularity of the application in various countries has made it an appealing lure for TAs over the past few years. Furthermore, with the ban imposed on CapCut by Taiwan, India, and several other countries, users might actively pursue alternative means to download the application, unknowingly putting themselves at risk of encountering these malicious websites.

Several TAs have been utilizing the CapCut phishing website as a platform to disseminate various malware families. One notable instance involved a phishing website hosting the Offx stealer, while in another campaign, a phishing website served as a host for BatLoader, subsequently delivering the redline stealer onto the targeted systems.  

Figure 1 Phishing site
Figure 1 – Phishing site

Technical Analysis

The stealer binary (SHA 256: 8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c) is compiled using PyInstaller indicating that the stealer is coded in Python.

The figure below shows the file details.

Figure 2 File Details 2
Figure 2 – File Details

The executable has been compiled using Python 3.9 and packaged through PyInstaller, restricting its execution to Windows 8 and newer versions.

Figure 3 Python version
Figure 3 -Python version

After successfully extracting the installer, accessing the underlying Python script becomes feasible. The main.py code within the script imports the Fernet class from the cryptography.fernet module and performs the decryption.

The image below displays the raw content of the Python script.

Figure 4 Obfuscated Script
Figure 4 – Obfuscated Script

After decrypting the content, the main functionality of the Offx Stealer is composed of various sub-functions, namely message, passwords, cookies, screen, zipper, send_message, and rm.

The image below presents a partial view of the decrypted script.

Figure 5 Partial content of the script
Figure 5 – Partial content of the script

Each of these functions serves a distinct purpose and contributes to the overall functionality of the Offx Stealer. Additionally, before initiating the stealing activity, the malware creates a directory with a randomly generated name in the %appdata% location to save the stolen data from the victim’s machine. 

Message

Upon execution, the stealer executes a message() function, which displays a message box to the user. The message box contains the error message “The application could not start correctly (0xc0000142). Click OK to close the application.”

It is likely used as a deceptive technique to trick users into believing that there is an issue with the application or system, prompting them to act or close the application. The below figure shows the Fake Message box.

Figure 6 Fake msg
Figure 6 – Fake msg box

Passwords

The function reads and parses through the ‘Local State’ file of multiple browsers specified in the table below. The ‘Local State’ file contains encrypted keys that browsers use to decrypt information from their respective ‘Login Data’ files. The function extracts the encrypted key from the ‘Local State’ file and decrypts it using the win32crypt.CryptUnprotectData() function. This decryption process yields the master key necessary for decrypting the login information stored in the respective browser’s ‘Login Data’ files.

Torch Kometa Orbitum
Cent-browser A7star Sputnik
Vivaldi GoogleSxS Google-chrome
Epic-privacy-browser Microsoft Uran
Yandex Brave IridiumOperaGx
Opera  

After obtaining the master key, Offx Stealer gains access to the ‘Login Data’ file, located at “AppDataLocalBrowser-NameUser DataDefaultLogin Data”. This file stores usernames and passwords for various websites in SQLite format. To extract the credentials from the Login Data file, the malware executes a SQL query targeting specific fields such as:

  • action_url
  • origin_url
  • username_value
  • password_value

The harvested information is subsequently stored in a text file named “Passwords[{browser-Name}].txt” within a randomly generated directory that was created in the initial stage, located in the “%appdata%” directory.

Cookies

Offx Stealer also retrieves data from the cookie files located at “AppDataLocalBrowser-nameUser DataDefaultNetworkCookies”. It executes an SQL query to extract specific fields, such as

  • host_key, name
  • encrypted_value

By querying and extracting data from these fields, the malware can gather information from the cookie files, including session data, authentication tokens, or other user-specific information associated with websites visited by the victim. The extracted information is then saved in a file named “Cookies[{browser-Name}].txt”.

Screen (Grabber)

The “screen” function captures a screenshot using the ImageGrab module and saves it as “DesktopScreen.jpg” within a randomly generated directory created in the %appdata% location.

Offx Stealer specifically targets messaging applications like Discord and Telegram. It also targets remote desktop applications such as UltraViewer and AnyDesk and various cryptocurrency wallet apps like Exodus, Atomic, Ethereum, Coinomi, Bytecoin, Guarda, and Zcash. The primary objective of Offx Stealer is to extract sensitive information from these targeted applications.

To achieve this, Offx Stealer attempts to retrieve and create ZIP archives for each targeted application folder in the following format and saves them in the randomly generated folder created in the %appdata% location for exfiltration.

  • Application-NameApplication-Name.zip

The below image shows the targeted applications and their paths.

Figure 7 Targeted applications path
Figure 7 – Targeted applications path

Next, the stealer proceeds to scan the user’s Desktop for files with specific extensions, including .txt, .lua, .pdf, .png, .jpg, .jpeg, .py, .cpp, and .db. It then copies these identified files and moves them for exfiltration.

Finally, the malware gathers system information and stores it in a text file named “OS-Info[ip_ip-address].txt” within the randomly generated folder. This file contains details such as the operating system, machine type, version, processor information, as well as the current date and time. The image below illustrates the newly generated files that contain the extracted stolen information from the victim’s machine.

Figure 8 Directory containing stolen data
Figure 8 – Central directory for Offx stealer

Zipper and Send Message

After gathering all the necessary data, the stealer proceeds to create a compressed ZIP file. The name of this ZIP file is generated by combining the user name, country, and a random string in the format “{User_Name}_{country}_{random_str}.zip”. All the files that have been previously obtained are included in this final ZIP archive.

Using the final ZIP file, the stealer proceeds to exfiltrate the data through the Telegram channel. This is achieved by making a POST request and including the final ZIP as an attachment. If the data is successfully transmitted via Telegram, a message is sent to the TAs containing additional information such as the country, IP address, and current time.

If transmitting the final ZIP file through Telegram encounters an error, the stealer employs AnonFiles as an alternative method. AnonFiles is a file hosting service designed for anonymous file storage and sharing. It provides a platform for the stealer to securely store and share the ZIP file without revealing the uploader’s identity.

The stealer takes measures to conceal its activities as a final step by deleting the randomly generated directory created in the %appdata% location. This directory was previously utilized to store all the pilfered information, and its removal helps to conceal the traces of the stolen data.

BATLoader Campaign

During the investigation, CRIL discovered another website called capcut-freedownload[.]com. This website hosts a rar archive file named CapCut_Pro_Edit_Video.rar. Inside the archive, there is a batch script named CapCut_Pro_Edit_Video.bat. The batch file has a SHA256 hash value of 3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c. Notably, at the time of analysis, the batch file had not been detected by any antivirus engine, as shown below.

Figure 9 No Security Vendor Tagged the file as Malicious
Figure 9 – No Security Vendor Tagged the file as Malicious

The below figure shows the phishing site hosting BAT Loader.

Figure 10 Phishing Website Hosting BATLoader
Figure 10 – Phishing Website Hosting BATLoader

After executing the BAT file, it triggers a Powershell script that executes a sequence of actions. These actions involve decryption, decompression, and loading the final payload as a .NET assembly. In this particular campaign, the BAT Loader drops two executables: the Redline Stealer and a .NET executable file responsible for performing an Antimalware Scan Interface (AMSI) bypass.

The entire process of this operation is described in detail in the accompanying figure.

Figure 11 Process Flow of BATLoader
Figure 11 – Process Flow of BATLoader Execution

RedLine Stealer is malicious software that extracts sensitive data from web browsers, including stored credentials, autocomplete information, and credit card details. When deployed on a target system, RedLine Stealer also conducts a comprehensive system inventory, collecting data such as the username, location, hardware configuration, and information about installed security software.

Conclusion

Taking advantage of the growing popularity of new applications, threat actors (TAs) such as the ones behind CapCut are actively exploiting the excitement surrounding them. They specifically target unsuspecting users by distributing fraudulent and malicious applications. This trend is particularly evident with CapCut users, as TAs continuously focus their efforts on targeting them by deploying malicious phishing websites.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:  

  • The initial infection may happen via spam emails or phishing websites, so enterprises should use security products to detect phishing emails and websites.
  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
     
Initial Access T1566 Phishing
Execution T1059   
T1204
Command and Scripting Interpreter  
User Execution
Defense Evasion T1027 Obfuscated Files or Information
Credential Access T1555  
T1539  
T1552  
T1528
Credentials from Password Stores  
Steal Web Session Cookie  
Unsecured Credentials  
Steal Application Access Token
Collection T1113 Screen Capture
Impact T1486  
T1490
 Data encrypted for impact  
Inhibit System Recovery
Command and Control T1095  
T1071
Non-Application Layer Protocol  
Application Layer Protocol  
Exfiltration T1567  
T1041 
Exfiltration Over Web Service  
Exfiltration Over C&C Channel

Indicators of Compromise (IOCs)

Indicators  Indicator  
Type 
Description 
8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c 558d420e943e28399915ff504be8b188b7445296
fc959c2a5b46b1b51003c688cdc384fa
Sha256 
Sha1
Md5
Offx  Stealer
e9e17c06b5fb1dd95e9622703f8ea55be67ceb6435e7aba688784a854c85aef2 b8725a0c47ac37475134996bb1711f61ce73279e
7876ff8df973e126f512169fb021c85a
Sha256
Sha1
Md5
Offx  Stealer
capcut-freedownload[.]com Domain Phishing websites
capcutfreedownload[.]com Domain Phishing websites
capcut-editor-video[.]com Domain Phishing websites
capcutdownload[.]com Domain Phishing websites
capcutpc-download[.]com Domain Phishing websites
3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c bd62756f0c9a7b1351d95a4f89e4a2703fe3e8b1
8eac2855d5a48ec13d6d71a463f40e27
Sha256 Sha1
Md5
BATLoader Batch File
0e06d91d1d9e7cecc1c2553076fd0df71fc4fe2081b7bd0b6dd25b0ce6b98788 825c448b5ef5f85e13aae802ca31532f0cf3cae4
ae9ca12bd7d797aa7dc7fe4b8584251f
Sha256 Sha1
Md5
RedLine Stealer
e68c2cb879dfb35b9685e966ec0e9f461d2085e67a284888bf2deec93040359c 9f68f5c80fbf35cce6f3a1309ae4ef1acd81f631
919892434c49fa33abb1fa9eae64355c
Sha256 Sha1
Md5
AMSI Bypass Executable

Source: https://blog.cyble.com/2023/05/19/capcut-users-under-fire/