Summary: Cyble Research and Intelligence Labs (CRIL) has uncovered a phishing campaign that impersonates a CapCut download page, aiming to distribute malicious software. The attack employs a sophisticated multi-stage process that utilizes reputation hijacking techniques to deliver a variant of NodeStealer, which captures sensitive user information.
Threat Actor: Unknown | Vietnam-based threat actor
Victim: Users of CapCut | CapCut
Key Point :
- Phishing site masquerades as a legitimate CapCut download page to distribute malware.
- Utilizes a legitimate CapCut application alongside the JamPlus build utility to execute malicious scripts and evade detection.
- Final payload, NodeStealer, is designed to exfiltrate sensitive user information via a Telegram channel.
- Employs a multi-stage infection process that includes downloading and executing hidden malicious files.
- Recommendations include verifying URLs, implementing application whitelisting, and monitoring for unusual activities.
Key takeaways
- Cyble Research and Intelligence Labs (CRIL) has detected a phishing site masquerading as a CapCut download page. The site aims to trick users into downloading malicious software.
- Threat actors (TAs) have leveraged a reputation-hijacking technique by embedding a legitimate CapCut-signed application within the malicious downloaded package, exploiting the trustworthiness of well-known apps to bypass security systems.
- This campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to execute malicious scripts while evading detection.
- The attack unfolds in multiple stages, employing a mix of legitimate tools, fileless methods, and reputed code repositories such as GitHub to seem legitimate and effectively circumvent traditional security measures.
- This campaign’s final payload is a variant of NodeStealer, designed to capture sensitive user information and exfiltrate it through a Telegram channel.
Overview
CapCut, a video editing tool developed by Bytedance, has become increasingly popular. This popularity has extended to CapCut-themed attacks, which are on the rise among TAs. These themes have been frequently used in phishing campaigns. Cyble Research & Intelligence Labs (CRIL) previously identified several phishing websites impersonating the CapCut video editor, and we have discussed these findings in our earlier blog posts. Our latest research discovers a new CapCut-themed campaign deploying stealers such as NodeStealer.
Additionally, TAs have adopted a recently identified technique of reputation hijacking with the JamPlus build utility to deliver final payloads to victims’ systems. This new tactic highlights an evolving trend in attack strategies aimed at bypassing security controls and increasing the success rate of malicious campaigns.
The initial infection occurs when a user downloads a malicious package from a CapCut phishing site. The package contains a legitimate CapCut application, JamPlus build utility, and a malicious”.lua” script. When the user runs the legitimate CapCut application, it triggers the JamPlus build utility, which then executes a malicious “.lua” script. This process utilizes reputation hijacking to mask the execution of the malicious script. This script then downloads a batch file that subsequently fetches and executes the final payload from a remote server. The TAs aim to maintain fileless payloads wherever possible.
This multi-stage process ultimately deploys a stealer payload that resembles NodeStealer. The image below provides an overview of the infection chain.
Technical Details
In this campaign, TAs trick users into downloading a malicious package disguised as a CapCut installer from a phishing site, as shown below.
When the user clicks the “Download” button on the phishing site, it initiates the download of an archive named “CapCut_{random number}_Installer” from the URL: “hxxps://www[.]dropbox[.]com/scl/fi/6se0kgmo7sbngtdf8r11x/CapCut_7376550521366298640_installer.zip?rlkey=7fxladl3fdhpne6p7buz48kcl&st=pzxtrcqc&dl=1”.
Upon extracting the downloaded archive, the user encounters what appears to be a CapCut installer; however, it is a legitimate CapCut application rather than an installer, as shown in Figure 3. The package also includes hidden files intended for malicious activities.
After revealing the hidden files, we discovered that the package contains the JamPlus build utility and a malicious “.lua” script, as shown below.
By default, launching the CapCut shortcut from the desktop runs the CapCut application located at “C:Users<User_Name>AppDataLocalCapCutAppscapcut.exe”. This “capcut.exe” file identifies the latest CapCut application version and then executes the appropriate application from the corresponding folder, as shown below.
In this campaign, TA leveraged this technique by trying to execute a renamed JamPlus build utility instead of the actual CapCut application, as shown below.
In our tests, the JamPlus utility was not executed because the file did not have the expected name, “capcut.exe,” indicating a possible error by the TA in naming the file. However, renaming the file to “capcut.exe” successfully triggers the execution of the JamPlus Build utility.
Upon successful execution, the builder reads instructions from a “. jam” file, which is configured to identify the malicious “.lua” script, as shown below.
After identifying the malicious “.lua” script, the JamPlus build utility loads the “.lua” script file, which executes a shell command, as shown in the figure below. This command employs “curl” to silently download a batch file from a remote server and save it as “C:UsersPublicsteal.bat.” It then executes the downloaded batch file.
This approach demonstrates how TAs utilized a legitimate CapCut application with JamPlus build utility to evade Smart App Control and avoid triggering security alerts.
The batch file contains multiple PowerShell commands that perform the following actions:
1. Downloads a file named “WindowSafety.bat” from a remote URL “hxxps://raw[.]githubusercontent.com/LoneNone1807/batman/main/startup” and saves it in the startup folder, ensuring it runs automatically at the next system startup.
2. Downloads a ZIP file named “Document.zip” from another remote URL “hxxps://github[.]com/LoneNone1807/batman/raw/main/Document.zip” and saves it in the public directory (C:UsersPublicDocument.zip).
3. Extracts the contents of “Document.zip” into a folder named “Document” within the public directory (“C:UsersPublicDocument”).
4. Finally, the batch script executes a Python script named “sim.py”, located in the extracted folder.
The image below shows the contents of the Python script.
The newly launched Python script retrieves base64-encoded data from a new remote server, as highlighted in the above image, decodes it, and executes the resulting payload directly in memory without saving it to disk. This payload is a Python-based information-stealing malware identified as NodeStealer.
NodeStealer
NodeStealer is a sophisticated malware that targets a wide range of sensitive data on a victim’s machine. It steals login credentials, cookies, credit card details, and autofill data from both Chromium-based and Gecko-based web browsers. Additionally, it extracts information from Facebook Ads Manager, Facebook Business accounts, and Facebook API graph pages. NodeStealer also targets browser extensions, including crypto wallets, password managers, VPNs, and gaming applications. All the collected information is then exfiltrated to the TAs via Telegram. This attack has been attributed to a threat actor operating from Vietnam.
Broader pattern of attacks
We have also identified another campaign where TAs used similar techniques to deliver RedLine Stealer. In this campaign, they employed a legitimately signed Postman application in conjunction with the JamPlus build utility. The image below shows that the malicious package includes the Postman application.
Conclusion
The successful hijacking of reputable applications and the JamPlus build utility illustrates a sophisticated method for bypassing Smart App Control without triggering security alerts. This approach significantly elevates the complexity and effectiveness of cyberattacks, complicating detection and defense efforts. The deployment of NodeStealer, which targets sensitive information from the victim’s system, highlights the growing concerns and difficulties within the cybersecurity landscape.
Recommendations
- Before accessing or downloading from any site, it is essential to diligently verify the URLs.
- Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.
- Implement comprehensive monitoring and logging to detect unusual activities associated with reputable applications.
- Employ application whitelisting to ensure that only approved applications can run on systems. This helps prevent unauthorized applications from executing.
- Stay updated with the latest threat intelligence and cybersecurity trends to understand new tactics and techniques used by attackers. This knowledge helps in adapting defense strategies accordingly.
- Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial Access (TA0027) | Phishing (T1660) | Malware distribution via phishing site |
Execution (TA0002) | User Execution (T1204) | The user needs to manually execute the file downloaded from the phishing site. |
Execution (TA0002) | Python (T1059.006) | Python stealer is used for targeting Windows users |
Defense Evasion (TA0005) | Masquerading (T1036.008) | Downloads file disguised as a legitimate application. |
Credential Access (TA0006) | Steal Web Session Cookie (T1539) | Steals browser cookies |
Collection (TA0009) | Archive Collected Data (T1560) |
Stealer compresses the stolen data with ZIP extension. |
Exfiltration(TA0010) | Exfiltration Over Web Service (T1567) | Uses Telegram channel to exfiltrate data |
Indicators of Compromise (IOCs)
Indicators | Indicator Type |
Description |
8e6bbe8ac1ecdd230a4dcafa981ff00663fae06f7b85b117a87917b6f04f894f | SHA256 | CapCut_7376550521366298640_installer.zip |
4e213bd0a127f1bb24c4c0d971c2727097b04eed9c6e62a57110d168ccc3ba10 | SHA256 | JamPlus Builder – POC file |
56d3ba2b661e8d8dfe38bcef275547546b476c35d18aa4ec89eea73c2e2aeb7c | SHA256 | Python Stealer |
hxxps://raw[.]githubusercontent[.]com/LoneNone1807/batman/main/steal[.]bat | URL | Remote server |
hxxps://cap-cutdownload[.]com/ | URL | Phishing site |
169f7d182f7838b75737c23e1b08c4b6b303d2d6a1cb73cdb87bd9644878a027 | SHA256 | Copyright-infringement-images.zip |
References
https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204
https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business
https://www.elastic.co/security-labs/dismantling-smart-app-control
Related
Source: https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac