As the recognition of the CapCut video enhancing instrument continues to soar, with over 200 million month-to-month energetic customers within the US alone, risk actors (TAs) have seized the chance to use video editors with CapCut phishing web sites.
Cyble Research and Intelligence Labs (CRIL) lately found a collection of phishing websites impersonating CapCut, tricking unsuspecting victims into putting in malware akin to Stealers and BatLoader.
Since international locations just like the USA, India and Taiwan have began banning or limiting using Chinese language-origin apps like CapCut, netizens are in search of other ways to edit their movies.
Sadly, this has inadvertently uncovered them to the dangers of ending up on fraudulent websites masquerading as reputable CapCut obtain assets.
CapCut phishing web site scams: How does it work?
To ensure that these CapCut phishing web site scams to work, risk actors have employed using phishing web sites that come preloaded with malware, RATs, and different malicious functions.
The CRIL workforce additionally discovered traces of a number of stealers like Offx, redline stealers and extra of their analysis. The primary objective of those stealers is to gather details about the sufferer and use it for malicious functions.
The safety researchers carried out an in-depth evaluation of the modus operandi of those CapCut phishing web site scams. The risk actor makes use of Python programming language to focus on its victims, and one of many stealer binary recognized, with a SHA256 hash of 8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c, was compiled utilizing PyInstaller.
The compiled executable, which is just accessible for Home windows 8 and later, makes use of Python 3.9 and is packaged with PyInstaller. This encryption restricts the malware’s execution to specified working techniques.
Researchers discovered entry to the underlying Python script after efficiently extracting the set up.
Notably, the script’s foremost.py file imports the Fernet class from the cryptography.fernet module and performs decryption operations.
In response to the report, one other stealer used within the CapCut phishing web site scams, Offx Stealer, additionally makes use of the identical methodology to focus on its victims.
The Offx Stealer demonstrates varied sub-functions that contribute to its general functioning. The message, passwords, cookies, display screen, zipper, send_message, and rm are examples.
The message perform begins a deceitful tactic by presenting to customers a pretend error message that reads, “The applying couldn’t begin accurately (0xc0000142).” This tactic makes an attempt to dupe customers into pondering there’s a downside with the applying or their system, prompting them to take motion or shut the applying.
The passwords perform targets quite a lot of browsers, processing their ‘Native State’ information for encrypted keys.
These keys are then encrypted, offering the grasp key required to entry login data contained within the particular person browser’s ‘Login Knowledge’ information. The stolen information is saved in a textual content file known as “Passwords[browser-Name].txt.”
Offx Stealer additionally obtains knowledge from focused browser cookie information, retrieving essential data akin to session knowledge and authentication tokens. This data is saved in a file known as “Cookies[browser-Name].txt.”
The display screen perform makes use of the ImageGrab module to take a screenshot, which is subsequently saved as “DesktopScreen.jpg” in a randomly generated listing within thepercentappdata% listing.
CapCut phishing web site scams and stealers
The CapCut phishing web site scams often function on platforms like Discord and Telegram and distant desktop functions like UltraViewer and AnyDesk.
The risk actors particularly goal cryptocurrency wallet apps like Exodus, Atomic, Ethereum, Coinomi, Bytecoin, Guarda, and Zcash.
To extract delicate data from these functions, the stealer makes an attempt to create ZIP archives for every focused utility folder, saving them within the randomly generated listing throughout the %appdata% location. It additionally scans the consumer’s Desktop for particular file extensions and copies them for exfiltration.
The gathered system data, together with working system particulars, machine sort, processor data, and present date and time, is saved in a textual content file named “OS-Data[ip_ip-address].txt.”
Knowledge exfiltration
After amassing all the required knowledge, the stealer creates a compressed ZIP file with a singular title combining the consumer’s title, nation, and a random string. This remaining ZIP archive contains all of the beforehand obtained information.
The stealer then makes an attempt to exfiltrate the ultimate ZIP file by a Telegram channel utilizing a POST request with the ZIP file connected.
In case of transmission errors, the stealer resorts to AnonFiles, an nameless file internet hosting service, to securely retailer and share the ZIP file with out revealing the uploader’s id.
To cowl its tracks, the stealer deletes the randomly generated listing used to retailer the stolen data, successfully concealing the traces of the pilfered knowledge.
BATLoader marketing campaign and RedLine stealer
Whereas investigating these CapCut phishing web site scams, CRIL stumbled upon capcut-freedownload[.]com, an internet site internet hosting a rar archive file named CapCut_Pro_Edit_Video.rar. Contained in the archive, a batch script named CapCut_Pro_Edit_Video.bat was found.
This batch file, with a SHA256 hash worth of 3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c, went undetected by antivirus applications, and security instruments.
RedLine Stealer, a malicious software program, extracts delicate knowledge from internet browsers, together with saved credentials and bank card particulars. It additionally gathers system stock data, akin to usernames, location, {hardware} configuration, and put in safety software program.
With the surge in reputation of latest functions, risk actors are making the most of customers’ pleasure, focusing on them by fraudulent and malicious means.
CapCut customers, particularly, face an elevated threat as a result of proliferation of CapCut phishing web site scams. Customers should train warning whereas downloading functions and guarantee they acquire them from reputable sources.
Staying vigilant and sustaining up-to-date safety measures will assist defend in opposition to the rising tide of phishing campaigns and malware threats.
Associated
