Cloned CapCut websites push information stealing malware

A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims.

CapCut is ByteDance's official video editor and maker for TikTok, supporting music mixing, color filters, animation, slow-mo effects, picture-in-picture, stabilization, and more.

It has over 500 million downloads on Google Play alone, and its website receives over 30 million hits monthly.

The application's popularity, combined with nationwide bans in Taiwan, India, and other places, has pushed users to seek alternative ways of downloading the program.

However, threat actors exploit this by creating websites that distribute malware disguised as CapCut installers.

The malicious websites were discovered by Cyble, which reports seeing two campaigns distributing different malware strains.

No specific information about how victims are directed on these sites was provided, but typically, threat actors use black hat SEO, search ads, and social media to promote the sites.

The offending websites are:

• capcut-freedownload[.]com
• capcutfreedownload[.]com
• capcut-editor-video[.]com
• capcutdownload[.]com
• capcutpc-download[.]com

At the time of writing, all domains have since been taken offline.

First campaign

The first campaign spotted by Cyble's analysts uses fake CapCut sites featuring a download button that delivers a copy of the Offx Stealer on the user's computer.

The stealer binary was compiled on PyInstaller and will only run on Windows 8, 10, and 11.

When the victim executes the downloaded file, they get a bogus error message claiming that the launch of the application has failed. However, Offx Stealer continues to operate in the background.

The malware will attempt to extract passwords and cookies from web browsers and specific filetypes (.txt, .lua, .pdf, .png, .jpg, .jpeg, .py, .cpp, and .db) from the user's desktop folder.

It also targets data stored in messaging apps like Discord and Telegram, cryptocurrency wallet apps (Exodus, Atomic, Ethereum, Coinomi, Bytecoin, Guarda, and Zcash), and remote access software like UltraViewer and AnyDesk.

All stolen data is saved in a randomly generated directory in the %AppData% folder, zipped, and then sent to the malware operators on a private Telegram channel. The threat actors also use the AnonFiles file hosting service for redundancy in the exfiltration step.

After the stolen files are transmitted to the attackers, the local directory created for temporarily hosting the data is deleted to wipe any traces of the infection.

Second campaign

The second campaign involving fake CapCut sites drops a file named 'CapCut_Pro_Edit_Video.rar' on the victims' devices, containing a batch script that, in turn, triggers a PowerShell script when opened.

Cyble says that at the time of its analysis, no antivirus engines would flag the batch file as malicious, so the loader is very stealthy.

The PowerShell script decrypts, decompresses, and loads the final payload: Redline Stealer and a .NET executable.

Redline is a widely deployed information stealer that can grab data stored in web browsers and applications, including credentials, credit cards, and auto-complete data.

The role of the .NET payload is to bypass the AMSI Windows security feature, allowing Redline to operate undetected on the compromised system.

To stay safe from malware, download software directly from official sites rather than sites shared in forums, social media, or direct messages, and also make sure to avoid promoted results when searching for software tools on Google.

In this case, CapCut is available through capcut.com, Google Play (for Android), and the App Store (for iOS).