Cyble researchers uncovered phishing websites pretending to offer CapCut that install multiple stealer families, including Offx Stealer and BATLoader, by coaxing users into downloading malicious payloads. The campaigns exploit CapCut’s popularity and extend to attackers targeting messaging apps, crypto wallets, and remote desktop tools, with detailed analyses of the Offx Stealer and a BATLoader campaign that delivers RedLine Stealer and an AMSI bypass. #CapCut #OffxStealer #BATLoader #RedLineStealer
Keypoints
- Phishing sites impersonating CapCut lure users into downloading malware families such as Offx Stealer and BATLoader.
- Offx Stealer is Python-based (PyInstaller) and runs on Windows 8+; it creates a random AppData directory to store stolen data.
- Offx Stealer extracts browser credentials and cookies by decrypting Local State keys and querying Login Data and Network Cookies files.
- The malware captures screenshots, targets Discord/Telegram and remote-desktop/crypto-wallet apps, archives targeted data, and exfiltrates via ZIPs.
- Fake error message “The application could not start correctly (0xc0000142)” is used to deceive users.
- BATLoader campaign uses a phishing site to host CapCut_Pro_Edit_Video.bat; PowerShell loads a .NET payload and drops RedLine Stealer and an AMSI-bypass executable.
- RedLine Stealer is described as extracting browser data and performing comprehensive system inventory.
MITRE Techniques
- [T1566] Phishing – “phishing websites posing as video editing software” used to lure victims. Quote: “These fraudulent sites lure users into downloading and executing various types of malware families.”
- [T1059.006] Python – “The stealer binary … is compiled using PyInstaller indicating that the stealer is coded in Python.”
- [T1027] Obfuscated Files or Information – “Figure 4 – Obfuscated Script” indicates obfuscated/scripted code used in deployment.
- [T1555] Credentials from Password Stores – “the master key necessary for decrypting the login information stored in the respective browser’s ‘Login Data’ files.”
- [T1539] Steal Web Session Cookie – “Offx Stealer also retrieves data from the cookie files … (encrypted_value)”
- [T1113] Screen Capture – “The screen function captures a screenshot using the ImageGrab module.”
- [T1567] Exfiltration Over Web Service – “exfiltrate the data through the Telegram channel.”
- [T1071] Application Layer Protocol – “Application Layer Protocol” (C2/exfiltration via Telegram).
- [T1095] Non-Application Layer Protocol – “Non-Application Layer Protocol” used for C2 communications in the described setup.
- [T1562.001] Impair Defenses: AMSI – “AMSI bypass executable” referenced in IOCs, indicating defense evasion.
- [T1041] Exfiltration Over C2 Channel – Exfiltration via C2 channel as part of the data exfiltration workflow.
Indicators of Compromise
- [Domain] Cap phishing sites – capcut-freedownload[.]com, capcutfreedownload[.]com, capcut-editor-video[.]com, capcutdownload[.]com, capcutpc-download[.]com – Phishing websites
- [SHA256] Offx Stealer hashes – 8dd5d02bb6313997fcaa6515ccb2308c37a81374baef188554ba20d23602c01c, 558d420e943e28399915ff504be8b188b7445296, and 2 more hashes
- [SHA256] Offx Stealer additional hashes – e9e17c06b5fb1dd95e9622703f8ea55be67ceb6435e7aba688784a854c85aef2, b8725a0c47ac37475134996bb1711f61ce73279e, 7876ff8df973e126f512169fb021c85a
- [SHA256] BATLoader batch file – 3eb99ff875dd397b5beed12e3662984cc4afdea2ff6998155b9c74869050d93c, bd62756f0c9a7b1351d95a4f89e4a2703fe3e8b1, 8eac2855d5a48ec13d6d71a463f40e27
- [SHA256] RedLine Stealer hashes – 0e06d91d1d9e7cecc1c2553076fd0df71fc4fe2081b7bd0b6dd25b0ce6b98788, 825c448b5ef5f85e13aae802ca31532f0cf3cae4, ae9ca12bd7d797aa7dc7fe4b8584251f
- [DOM] CapCut phishing domain variants – capcut-freedownload[.]com, capcutfreedownload[.]com
- [File] CapCut_Pro_Edit_Video.bat – CapCut_Pro_Edit_Video.bat
- [Archive] CapCut_Pro_Edit_Video.rar – CapCut_Pro_Edit_Video.rar
- [OS-Info] OS-Info[ip_ip-address].txt – OS information collected and saved
Read more: https://blog.cyble.com/2023/05/19/capcut-users-under-fire/