Recent research by Cyble Research and Intelligence Labs (CRIL) has revealed a new phishing campaign that capitalizes on the popularity of CapCut, a video editing tool developed by Bytedance. This campaign employs a sophisticated reputational hijacking technique utilizing JamPlus to bypass Smart App Control (SAC) and deploy malicious payloads.
CapCut has gained significant traction as a video editing application, making it an attractive target for threat actors (TAs) seeking to exploit its reputation for malicious purposes. The latest campaign, identified by CRIL, reveals how attackers use a phishing site masquerading as a CapCut download page to trick users into installing malware.
Overview of the CapCut Phishing Campaign
In this campaign, TAs leverage JamPlus, a build utility, to carry out their attack. This technique, known as reputational hijacking with JamPlus, involves embedding a legitimate CapCut application within a malicious package to bypass traditional security measures. The attackers’ approach highlights an evolving trend in cyberattacks aimed at circumventing security controls and increasing the efficacy of malicious campaigns.
The attack unfolds through a multi-stage process designed to evade detection. It begins when a user downloads a malicious package from a phishing site posing as a CapCut installer. This package contains a legitimate CapCut application, the JamPlus build utility, and a malicious “.lua” script.
When the user runs the CapCut application, it inadvertently triggers the JamPlus build utility. This utility then executes the malicious “.lua” script, which silently downloads and executes a batch file from a remote server. The use of fileless techniques is a key element in this attack, aiming to avoid traditional security mechanisms and remain undetected.
Technical Details of the JamPlus Campaign
The phishing site presents a convincing façade of a CapCut download page, prompting users to click on a “Download” button. This action initiates the download of an archive named “CapCut_{random number}_Installer” from a URL like “hxxps://www[.]dropbox[.]com/scl/fi/6se0kgmo7sbngtdf8r11x/CapCut_7376550521366298640_installer.zip?rlkey=7fxladl3fdhpne6p7buz48kcl&st=pzxtrcqc&dl=1”.
Upon extraction, the user encounters a file that appears to be a CapCut installer, but it actually includes the legitimate CapCut application along with hidden files for malicious activities. These hidden files contain the JamPlus build utility and a malicious “.lua” script.
By default, the CapCut shortcut on the desktop runs the CapCut application located at “C:\Users<User_Name>\AppData\Local\CapCut\Apps\capcut.exe”. In this attack, however, the JamPlus build utility is renamed to “capcut.exe” to exploit the application’s reputation and execute the malicious script.
Despite an initial failure to execute due to incorrect naming, renaming the file to “capcut.exe” successfully triggers the JamPlus build utility. This utility then reads from a “.jam” file configured to identify and run the malicious “.lua” script.
The “.lua” script downloads a batch file from a remote server and executes it. This batch file performs several actions:
- Downloads a file named “WindowSafety.bat” from “hxxps://raw[.]githubusercontent.com/LoneNone1807/batman/main/startup” and saves it in the startup folder to ensure it runs on the next system reboot.
- Downloads a ZIP file named “Document.zip” from “hxxps://github[.]com/LoneNone1807/batman/raw/main/Document.zip” and extracts it to “C:\Users\Public\Document”.
- Executes a Python script named “sim.py” from the extracted folder.
The NodeStealer Payload
The Python script retrieves and decodes base64-encoded data from a remote server, executing the resulting payload directly in memory. This payload is a variant of NodeStealer, a sophisticated malware designed to steal a wide array of sensitive data from the victim’s machine, including login credentials, cookies, credit card information, and data from browser extensions and applications.
NodeStealer’s exfiltration method involves sending the stolen information via Telegram, adding another layer of obfuscation to the attack. The campaign has been traced back to threat actors based in Vietnam.
This technique of reputational hijacking with JamPlus is not isolated. Similar tactics have been observed in other campaigns, such as those using a legitimately signed Postman application.
This broader pattern indicates a growing trend where TAs leverage trusted applications and tools to mask their malicious activities and bypass security systems.
Conclusion
The use of reputational hijacking with JamPlus to bypass Smart App Control (SAC) represents a significant advancement in attack strategies. By incorporating legitimate applications and building utilities into their schemes, threat actors enhance their ability to evade detection and execute sophisticated attacks.
The deployment of NodeStealer in this campaign underscores the growing complexity of cyber threats and the challenges faced by cybersecurity professionals.