CapCut, ByteDance’s official video editing app for TikTok, has garnered immense popularity with over 500 million downloads on Google Play and a monthly user base of more than 30 million on its website.
Due to CapCut’s prohibition in several countries, including Taiwan and India, users have sought alternative means to download the software. Exploiting this demand, cybercriminals have created fraudulent websites posing as legitimate CapCut installers to distribute malware.
The exact method of directing victims to these fraudulent sites remains unclear, but attackers frequently employ unethical tactics such as Black Hat SEO, search engine advertising, and social media promotion to drive traffic.
In the initial campaign, victims unknowingly download Offx Stealer, specifically designed for Windows 8, 10, and 11, from these deceptive sites. Upon launching the downloaded file, users encounter a fake error message claiming the application’s failure to start, while Offx Stealer stealthily operates in the background.
The Extensive Data Collection Tactics of the Malware Disguised as CapCut
The malware efficiently collects various sensitive data, including passwords, cookies from web browsers, and specific file types stored in the user’s desktop folder. Additionally, it targets data from Discord and Telegram, cryptocurrency wallet applications such as Exodus, Ethereum, Zcash, and others, as well as information from UltraViewer and AnyDesk remote access software.
The stolen data is then stored in a randomly generated directory within the “%AppData%” folder, undergoes archiving, and is subsequently transmitted to hackers through a private Telegram channel. To eliminate any traces of the infection, the generated directory is promptly deleted after exfiltrating the files.
In the second campaign, victims receive the “CapCut_Pro_Edit_Video.rar” archive, which, when opened, executes a PowerShell script. This script facilitates the loading of the final Redline Stealer payload along with the .NET executable, enabling Redline Stealer to operate undetected by bypassing the Windows AMSI security feature.
To mitigate the risk of malware infection, it is crucial to exclusively download CapCut and similar software from official sources such as “capcut.com,” Google Play (for Android users), and the App Store (for iOS users). It is imperative to exercise caution and avoid downloading from sites shared by other users on social networks or through private messages to safeguard against these malicious activities.