CapCut Users Beware: Phishing Sites Distributing Malware

If you use TikTok, you must be aware of CapCut. However, did you know that this app is being abused by threat actors to drop malware and carry out phishing scams through not one, but a series of malicious sites?

One of the most prominent malware being distributed in the latest CapCut scam is BatLoader.

CapCut video editor, with a following of more than 200 million active users per month in the US alone, is the current target of threat actors, revealed a new report from Cyble Research and Intelligence Labs.

CapCut is a Chinese app that allows users to edit their videos. However, like many other apps of Chinese origin, CapCut is banned in several countries, including India, the USA, and Taiwan. So, users looking to edit their videos conveniently search for ways to install this app and get trapped. CapCut is created by ByteDance, which also owns TikTok.

Reportedly, threat actors are trapping unsuspecting users through CapCut phishing sites and tricking them into downloading BatLoader, Stealers, and other malware. Cyble researchers discovered several phishing websites designed to appear as video editing software.

One of the fake CapCut sites (Credit: Cyble)

However, these sites trick users into downloading/executing malware, including RATs and Stealers. Researchers observed that threat actors specifically targeted the CapCut tool in this campaign.

Researchers extensively explored the attackers’ modus operandi and noted that the scammers use Python to target victims. One of the stealer binary they identified had a SHA256 and it was compiled with PyInstaller.

The executable is available only for Windows 8 or later versions. Researchers could access the hidden Python script after extracting the installation successfully. Moreover, the script’s .py file imports the Fernet class to decrypt. It receives the file from the cryptography.fernet module.

In one of the campaigns observed by Cyble researchers, a phishing website was hosting the Offx stealer. In another instance, threat actors used a phishing site to host BatLoader malware and delivered RedLine stealer to the targeted system. This means that phishing websites come preloaded with RATs and malware.

Cyble researchers explained in their blog post that the primary objective of these stealers is collecting information about the victim and using it for malicious purposes.

  1. TikTokers promoted adware; earned a trove in profit
  2. TikTok Invisible Body Challenge Abused to Drop Malware
  3. TikTok flaw allowed hackers to access your phone numbers
  4. Fake Windows site dropped malware as Windows 11 upgrade
  5. Fake WhatsApp clones steal crypto from Android and Windows
Related Posts