Malware Analysis Capcut fake stealer

Status
Not open for further replies.
L

likeastar20

Level 9
Thread author
Verified
Forum Veteran
Mar 24, 2016
422
1,736
768
România
There is a new stealer that masquerades as an app called Capcut. As of time of writing, the only detection on VT is from Kaspersky. I tested the sample with BD, no reaction. (@silversurfer @SeriousHoax @RansomwareRemediation).

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

9832647d56bce277c025944ca38095da9942add7aa235893785a3d8e86eaa4ed | Triage

Check this report malware sample 9832647d56bce277c025944ca38095da9942add7aa235893785a3d8e86eaa4ed, with a score of 7 out of 10.
tria.ge tria.ge

Not detected by Avast.


asdfasdf.PNGhhh.PNGnpe.PNGavast.PNG
 
Last edited:
  • Like
  • +Reputation
Reactions: Sunshine-boy, Zartarra, oldschool and 12 others
silversurfer said:
Just tried as quick test only in VMware Pro v.17 (Win 10 x64), this sample does still run with outbound connection, no reaction from BD Free at least so far...

View attachment 277089
Click to expand...
I have not yet sent the sample directly to any AV vendor. I wanted to see who would detect it first with their behavior modules. If I send it to BD for example, I expect the sample to be detected in about 2-3H...
 
  • Like
  • Hundred Points
Reactions: piquiteco, brambedkar59, vtqhtr413 and 5 others
Harmony Endpoint with Sophos, the file is detected by threat emulation upon download.
I switched emulation off and executed the file, there is no detection.
There is also no node.js or anything suspicious running.

Edit:
The file relies on openconsole.exe which under my policy is blocked. The sample can't work properly.
1689151244154.png
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Zartarra, oldschool, plat and 9 others
K and Sophos will now detect both the original file and the triple sized thrown off daughter (actually even Defender is now aware). The spawned Visual Studio modules is also never a good thing. But once again an Outbound alerting Firewall would have noticed a connection out to Command, an Amazon addy also used in Olden Times by Darkside.
 
Last edited:
  • Like
  • Applause
Reactions: plat, piquiteco, Nevi and 6 others
likeastar20 said:
There is a new stealer that masquerades as an app called Capcut.
Click to expand...
Was reported about 2 months ago here:

malwaretips.com

Cloned CapCut websites push information stealing malware

A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims. CapCut is ByteDance's official video editor and maker for TikTok, supporting music mixing, color filters, animation, slow-mo effects...
malwaretips.com malwaretips.com

Even back in 2020 the Indian government wasn't happy about the official app.
malwaretips.com

India Government bans more Chinese apps (updated)

According to an early report from News18, the Government of India released an order on Friday that banned 47 more apps with Chinese connections. These apps are said to be functional clones of the apps that were banned earlier. The list of the newly banned app includes TikTok Lite, Helo Lite...
malwaretips.com malwaretips.com
 
  • Like
  • +Reputation
  • Applause
Reactions: oldschool, plat, piquiteco and 10 others
  • +Reputation
  • Like
  • HaHa
Reactions: oldschool, piquiteco, Nevi and 8 others
silversurfer said:
Re-test this sample, this time BD Free does detect a part... but the source sample remained undetected for now ;)

View attachment 277103
Click to expand...
I submitted this one to BD today in the morning before this stealer sample was shared here. Didn't notice that it was used in this one also. I saw a different malware using it yesterday. I asked BD to add atleast a PUP detection for it kind of similar to Kaspersky and they did it. Though Kaspersky's signature is "not-a-virus....." for this one which means Kaspersky on default settings would not notify (only if you open the K UI) or even stop execution of it. I don't know the details but the file can be used for legal purpose also.
 
  • Like
  • +Reputation
Reactions: oldschool, piquiteco, Nevi and 6 others
Status
Not open for further replies.

You may also like...