• Wed. Oct 11th, 2023

The Deceptive Disguise: Attackers Exploit CapCut’s Popularity to Distribute a Malicious Styler

Avatar photo

ByEsme Greene

Aug 2, 2023
Attackers exploit CapCut for malicious content
Esme Greene
Latest posts by Esme Greene (see all)

Cyble IS specialists have uncovered two alarming campaigns where cybercriminals are disguising malware as CapCut, a widely-used video editor for TikTok, putting unsuspecting users at risk.

CapCut, ByteDance’s official video editing app for TikTok, has garnered immense popularity with over 500 million downloads on Google Play and a monthly user base of more than 30 million on its website.

Due to CapCut’s prohibition in several countries, including Taiwan and India, users have sought alternative means to download the software. Exploiting this demand, cybercriminals have created fraudulent websites posing as legitimate CapCut installers to distribute malware.

The exact method of directing victims to these fraudulent sites remains unclear, but attackers frequently employ unethical tactics such as Black Hat SEO, search engine advertising, and social media promotion to drive traffic.

In the initial campaign, victims unknowingly download Offx Stealer, specifically designed for Windows 8, 10, and 11, from these deceptive sites. Upon launching the downloaded file, users encounter a fake error message claiming the application’s failure to start, while Offx Stealer stealthily operates in the background.

The Extensive Data Collection Tactics of the Malware Disguised as CapCut

The malware efficiently collects various sensitive data, including passwords, cookies from web browsers, and specific file types stored in the user’s desktop folder. Additionally, it targets data from Discord and Telegram, cryptocurrency wallet applications such as Exodus, Ethereum, Zcash, and others, as well as information from UltraViewer and AnyDesk remote access software.

The stolen data is then stored in a randomly generated directory within the “%AppData%” folder, undergoes archiving, and is subsequently transmitted to hackers through a private Telegram channel. To eliminate any traces of the infection, the generated directory is promptly deleted after exfiltrating the files.

In the second campaign, victims receive the “CapCut_Pro_Edit_Video.rar” archive, which, when opened, executes a PowerShell script. This script facilitates the loading of the final Redline Stealer payload along with the .NET executable, enabling Redline Stealer to operate undetected by bypassing the Windows AMSI security feature.

To mitigate the risk of malware infection, it is crucial to exclusively download CapCut and similar software from official sources such as “capcut.com,” Google Play (for Android users), and the App Store (for iOS users). It is imperative to exercise caution and avoid downloading from sites shared by other users on social networks or through private messages to safeguard against these malicious activities.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.