Infostealers distributed via fraudulent CapCut websites

SC StaffMay 22, 2023

Different information-stealing malware strains have been distributed in separate campaigns leveraging websites masquerading as the TikTok video editor CapCut, according to BleepingComputer. Threat actors behind the first campaign used fraudulent CapCut sites to facilitate the delivery of the Offx Stealer with a PyInstaller-compiled binary on Windows 8, 10, and 11 devices, a Cyble report showed. Execution of Offx Stealer would enable the exfiltration of web browser passwords and cookies and certain file types, as well as data in cryptocurrency wallet apps, messaging apps, and remote access software. On the other hand, the second campaign involved the deployment of a batch script-containing file that would prompt a PowerShell script that would then facilitate the delivery of the RedLine stealer and a .NET executable. While RedLine would enable data theft, the other payload would ensure that the stealer remains undetected on the impacted systems. All fraudulent websites including capcut-freedownload[.]com, capcutfreedownload[.]com, capcut-editor-video[.]com, capcutdownload[.]com, and capcutpc-download[.]com have already been disrupted and users have been urged to download CapCut from legitimate channels to avoid compromise.

SC Staff

Related

Golden Chickens malware developer unmasked

SC StaffMay 22, 2023

Golden Chickens malware developer unmasked SecurityWeek reports that Golden Chickens malware, which has been used by the Russian Cobalt Group and FIN6 cybercrime operations, had its second developer identified by eSentire to be a Romanian named Jack, also known as Lucky and badbullzvenom. Password stealers were Jack's main specialty when he began engaging in cybercrime as a teen, releasing the Voyer malware tool for exfiltrating Yahoo instant messages between 2007 and 2008, followed by the FlyCatcher tool for keystroke logging between 2008 and 2009, and the Con password stealer for browser, instant messenger, VPN, and FTP app credential theft in 2010, according to the eSentire report. Jack was noted by researchers to have met with Golden Chickens co-developer 'Chuck from Montreal' in the dark web from late 2012 to October 2013, before proceeding to release Multiplier and VenomKit in 2015 and 2017, respectively, which were later consolidated into Golden Chickens. "Security experts assert that in 2017 the Cobalt Group used badbullzvenoms (aka: Lucky) VenomKit to deploy Cobalt Strike in attacks on banks and then they used it again in 2018," said eSentire, which noted that the malware suite was leveraged by FIN6 in 2019, the same year when the suite included the PureLocker ransomware plugin.

KeePass vulnerability puts master passwords at risk

SC StaffMay 21, 2023

Open source password manager KeePass is being impacted by a security flaw, tracked as CVE-2023-32784, which could be exploited to facilitate master password retrieval from program memory, SecurityWeek reports. "The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.

RSAC update

Emerging technology

The AI message at RSAC was long on hype and short on specifics

Mike Parkin May 4, 2023

Overall, cybersecurity pros who attended RSAC tend to believe they have more to gain from AI than the threat actors – let’s hope that’s true.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news