Threat Research

“Reputation Hijacking with JamPlus: A Tactic to Evade Smart App Control (SAC)”

Cyble

CRIL uncovered a CapCut-themed phishing campaign that hides a legitimate CapCut application inside a malicious package, using reputation hijacking and the JamPlus build utility to run a Lua script and drop NodeStealer. The final payload exfiltrates sensitive data via Telegram, illustrating a multi-stage approach designed to bypass Smart App Control. #NodeStealer #JamPlus #CapCut #CapCutPhishing #ReputationHijacking #Telegram #Vietnam

Keypoints

  • CRIL detects a phishing site masquerading as a CapCut download page to lure users into downloading malware.
  • Threat actors use reputation hijacking by embedding a legitimate CapCut-signed app within the malicious package.
  • The JamPlus build utility is repurposed to execute malicious scripts while evading detection.
  • The campaign unfolds in multiple stages, leveraging legitimate tools, fileless techniques, and public code repositories to appear legitimate.
  • The final payload is a NodeStealer variant designed to capture sensitive data and exfiltrate it via Telegram.
  • Initial infection occurs through downloading a malicious package from a CapCut phishing site, followed by a multi-stage execution chain.
  • Recommendations include URL verification, restricting scripting language execution, and implementing monitoring and application whitelisting.

MITRE Techniques

  • [T1660] Phishing – Malware distribution via phishing site. Quote: “Detection of a phishing site posing as a CapCut download page.”
  • [T1204] User Execution – The user needs to manually execute the file downloaded from the phishing site. Quote: “The user needs to manually execute the file downloaded from the phishing site.”
  • [T1059.006] Python – Python stealer is used for targeting Windows users. Quote: “Python stealer is used for targeting Windows users.”
  • [T1036.008] Masquerading – Downloads file disguised as a legitimate application. Quote: “Downloads file disguised as a legitimate application.”
  • [T1539] Steal Web Session Cookie – Steals browser cookies. Quote: “Steals browser cookies.”
  • [T1560] Archive Collected Data – Stealer compresses the stolen data with ZIP extension. Quote: “Stealer compresses the stolen data with ZIP extension.”
  • [T1567] Exfiltration Over Web Service – Uses Telegram channel to exfiltrate data. Quote: “Uses Telegram channel to exfiltrate data.”

Indicators of Compromise

  • [SHA256] CapCut installer – 8e6bbe8ac1ecdd230a4dcafa981ff00663fae06f7b85b117a87917b6f04f894f, 4e213bd0a127f1bb24c4c0d971c2727097b04eed9c6e62a57110d168ccc3ba10, and 2 more hashes
  • [URL] Remote payload delivery – hxxps://raw[.]githubusercontent[.]com/LoneNone1807/batman/main/steal[.]bat
  • [URL] Phishing site – hxxps://cap-cutdownload[.]com/
  • [File Name] CapCut_7376550521366298640_installer.zip, Document.zip

Read more: https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint