Threat actors from Vietnam are using CapCut-themed phishing lures to distribute malicious software, including the advanced NodeStealer malware, which targets sensitive user data, including login credentials and cryptocurrency wallets.
Researchers observed that the infection starts when unsuspecting users download a malicious CapCut installer from phishing websites. This package includes three key components: the legitimate CapCut application, the JamPlus build utility, and a hidden malicious “.lua” script.
Once the user opens the legitimate CapCut application, the JamPlus build utility is executed, triggering the malicious “.lua” script. This script downloads a secondary batch file, which then fetches the final payload from a remote server — ultimately infecting the system with NodeStealer.
Researchers discovered that this multi-stage infection chain starts with a phishing site offering a seemingly legitimate CapCut installer. When users download and extract the package, they unknowingly initiate a series of malicious actions.
The JamPlus build utility, masquerading as a legitimate component, runs the malicious “.lua” script, which downloads and executes a batch file. This batch file downloads additional payloads from remote servers, eventually leading to the deployment of NodeStealer.
“The initial infection occurs when a user downloads a malicious package from a CapCut phishing site. The package contains a legitimate CapCut application, JamPlus build utility, and a malicious .lua script,” researchers said. “. When the user runs the legitimate CapCut application, it triggers the JamPlus build utility, which then executes a malicious .lua script. This process utilises reputational hijacking to mask the execution of the malicious script. This script then downloads a batch file that subsequently fetches and executes the final payload from a remote server.”
NodeStealer is a highly sophisticated piece of malware that can steal various sensitive data from a victim’s machine. It primarily targets login credentials, cookies, and payment details from Chromium and Gecko-based web browsers. It also targets sensitive information from Facebook Business accounts and cryptocurrency wallets. This stolen data is exfiltered via Telegram.
One of the most alarming aspects of this campaign is the use of ‘reputation hijacking’ to bypass security measures. The attackers effectively mask their malicious intent by embedding the attack within the legitimate CapCut application and utilising the JamPuls build utility.
This allows the attack to evade security controls, such as Microsoft’s Smart App Control and prevents security alerts from being triggered.
Researchers believe the threat actors’ use of the JamPlus build utility is critical to this strategy. Typically used for legitimate software development, JamPlus has been co-opted by the attackers to run their malicious scripts undetected.
Researchers have also identified a similar attack campaign utilising the same tactics to deliver the RedLine Stealer malware. In this case, attackers employed a legitimately signed Postman application, leveraging the JamPlus build utility to execute malicious scripts.
To counter the attack, researchers recommend verifying the legitimacy of URLs before downloading software, limiting the execution of non-essential scripting languages, and implementing comprehensive monitoring tools to detect unusual activity.
Other methods include application whitelisting and network-level monitoring to block suspicious data exfiltration attempts.
In the News: xAI explores revenue-sharing deal with Tesla