Fake CapCut Websites Spread Information Stealers
A malware campaign has been found impersonating the CapCut video editing tool to spread different stealers. CapCut is an official video editor, developed by ByteDance. It is popularly used as an editing tool for TikTok videos (also owned by ByteDance) and comes with several features. CapCut has over 500 million downloads on Google Play and its website receives over 30 million monthly hits, making it an attractive target for cyberattacks.
Owing to the nationwide bans in India, Taiwan, and other countries, users are looking for alternative ways to get access to the CapCut app. The popularity of CapCut has made users look for alternative ways of getting the app. To harness this opportunity, attackers have created websites that spread malware disguised as CapCut.
- The attackers are suspected to be using search ads, black hat SEO, and social media to advertise these malicious sites.
- They used multiple domains, such as capcut-editor-video[.]com and capcutdownload[.]com, to deliver information stealers to victims’ systems via two different campaigns detailed below.
Offx Stealer campaign
The first campaign uses fake CapCut sites with a download button spreading the Offx Stealer on systems. The stealer binary uses PyInstaller and only runs on Windows 8, 10, and 11.
- Whenever a victim runs the downloaded file, they are shown a fake error message stating that the app launch has failed. However, Offx Stealer keeps operating in the background.
- The malware attempts to steal credentials and cookies from web browsers and targets data stored in Discord, Telegram, popular cryptocurrency wallet apps (Bytecoin, Atomic, Zcash), and remote access software (AnyDesk and UltraViewer).
Redline Stealer campaign
The second campaign uses fake CapCut sites delivering the ‘CapCut_Pro_Edit_Video[.]rar’ file on systems, including a batch script that executes a PowerShell script when opened.
- The PowerShell script decompresses, decrypts, and loads the final payload – a DotNET executable and Redline Stealer. The DotNET executable bypasses the AMSI Windows security feature.
- Additionally, the same fake CapCut site serves as a host for BatLoader.