Monday, 22 May 2023 12:44

ByteDance’s TikTok Video Editor/Maker CapCut Being Impersonated to Spread Malware

Written by
Rate this item
(0 votes)

Reading time is around minutes.

Video editing software CapCut users are being targeted by attackers to push different strains of malware. For those that are not aware of that CapCut is, it is a video editor and maker for TikTok and is the official one at that (ByteDance also owns TikTok). With over 500 million downloads from Google Play alone it is clearly a very popular app for people to grab to feed their TikTok streams with. It was only a matter of time before someone decided to go after the poplar app and with the growing number of bans and lock outs for ByteDance and their services, offering what appears to be an alternative way to get this software makes sense (from an attacker perspective).

According to Cyble, the group that identified the cloned sites, there are two different campaigns that are targeting users, each uses a different variety of malware and multiple domains. One uses a PyInstaller compiled binary that pushes Offx Stealer which works on Windows 8 and newer. As an information stealer, Offx Stealer, grabs quite a bit of data including numerous image and text files, database files and even python scripts. It can also grab passwords, cookies, Discord data, and Crypto Wallets from the devices it infects. Exfiltration has redundant methods including Telegram and AnonFiles (even threat groups get BC/DR concepts).

The second campaign sees the malware encapsulated in a rar file for execution on the target device. This drops a batch script that calls PowerShell (it is always PowerShell). The call to PowerShell then completed the rest of the hard work, decrypting the malware, unpacking the malware, and loading the malware. The malware in question here is Redline Stealer along with a .NET binary that gets around the Windows AMSI (Anti-Malware Scan Interface) which could allow Redline to remain undetected on an infected system.

Both campaigns can be protected against although the latter requires some advance configuration to ensure that PowerShell is not called by the batch script or that the PowerShell commands used in the second stage of installation are identified as Malicious. Blocking general processes from spawning PowerShell and/or blocking the execution of Base64 encoded scripts by PowerShell can do the trick. The downside is that the vast majority of consumers would not even be aware of how to get this configured on their own in Windows and Microsoft is not well known for helping consumers better understand security on their personal devices. Of course, there is the problem that in Windows Home configurable security options are thin on the group in the first place with very little a consumer can do to shore up the exposures available in PowerShell.

If you are a TikTok user, make sure you either have proper protections in place (a very good anti-malware solution, or just ensure you are only getting CapCut directly from Google Play, Apple App Store or from CapCut directly. In general, avoid using “free alternatives” or heavily promoted options when searching for tools. They are often a red flag to begin with.

Read 347 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.