A recent study conducted by Cyble Research and Intelligence Labs (CRIL) has exposed a novel phishing scheme that exploits the popular video editing tool CapCut, developed by Bytedance. This campaign utilizes JamPlus to circumvent Smart App Control (SAC) and disseminate harmful payloads, showcasing a sophisticated reputational hijacking tactic.
CapCut has garnered considerable attention as a video editing application, rendering it a prime target for threat actors looking to leverage its reputation for nefarious intents. The latest revelation by CRIL demonstrates how malicious agents employ a phishing site posing as a CapCut download page to deceive users into downloading malware.
The modus operandi of the CapCut phishing campaign involves the use of JamPlus, a build utility, by the threat actors. This reputational hijacking technique with JamPlus entails embedding a genuine CapCut application within a malicious package to evade conventional security measures. It signifies a shift in cyberattack strategies aimed at eluding security controls and maximizing the impact of malicious campaigns.
The attack unfolds in multiple stages to evade detection. It commences when a user downloads a malicious package from a fake CapCut installer phishing site. This package includes a legitimate CapCut application, the JamPlus build utility, and a malicious “.lua” script.
Upon running the CapCut application, the JamPlus build utility is triggered, which subsequently executes the malicious “.lua” script stealthily downloading and executing a batch file from a remote server. The usage of fileless techniques is pivotal in this attack to elude traditional security mechanisms and operate undetected.
The phishing site mirrors a genuine CapCut download page, coaxing users to click on a “Download” button. This action initiates the download of an archive named “CapCut_{random number}_Installer” from a specific URL. Post-extraction, the user encounters a file posing as a CapCut installer containing the legitimate application alongside concealed files for malicious purposes, such as the JamPlus build utility and a malicious “.lua” script.
Moreover, the CapCut shortcut on the desktop defaults to executing the CapCut application located in a specific directory. In this attack, the JamPlus build utility is renamed to “capcut.exe” to exploit the application’s reputation and launch the malicious script successfully.
The malicious “.lua” script downloads a batch file from a remote server, executing several actions like downloading and installing files in specific folders and running a Python script named “sim.py.” This Python script plays a crucial role in executing the NodeStealer malware variant, designed to pilfer sensitive data from the victim’s machine and transmit it via Telegram for added obfuscation.
The deployment of NodeStealer underscores the sophistication of cyber threats and the challenges faced by cybersecurity professionals. This method of reputational hijacking with JamPlus is not an isolated incident, as similar tactics have been observed in other campaigns, like those utilizing legitimately signed applications such as Postman.
In conclusion, the utilization of reputational hijacking with JamPlus to bypass SAC represents a notable advancement in attack strategies. By integrating legitimate applications and utilities, threat actors enhance their ability to evade detection and execute sophisticated attacks, posing significant challenges to cybersecurity efforts in safeguarding against evolving cyber threats.