Skip to main content

While digging through a malicious document which I was working on earlier this week (SHA256: 1024f399ddef…8151c566), I took interest in a URL flagged as malicious by Varist Hybrid Analyzer as shown in the screenshot below.

Figure 1.0 Varist Hybrid Analyzer File Analysis Report for 1024f399ddefa2c1496efc5b06b2faadea4f6f311be141f0cd4b35ea8151c566

Relevant indicators found in this analysis report prompted me to dig further and hunt for possibly related threats using the same domain (bot.khoadang50.repl.co). Looking through the communicating files listed in VirusTotal’s relations page as shown in the screenshot below, one name stood out to me, Capcut Pro Setup.exe. Capcut is a free, all-in-one video editing tool, packed with everything necessary to create high-quality, visually appealing videos and is popular with content creators posting on TikTok.

Checking the file overview shows the same icon used for the legitimate Capcut installer as shown in the screenshot below. Given Capcut’s popularity, this potentially malicious copy-cat installer would most probably be distributed to unsuspecting users via Malvertising, which is a known SEO poisoning technique used by cybercriminals to abuse search engine results leading to malware download. Such technique was used in distributing the SolarMarker backdoor, also known as Jupyter, Polazert and Yellow Cocatoo.

Figure 2.1 Communicating Files related to the malicious domain


Figure 2.2 File Overview showing Capcut installer icon

Malware Analysis

The Varist Hybrid Analyzer analysis report for this sample (SHA256: 7da76830…7eae4467) shows that it is a PyInstaller executable using Python version 3.11. A PyInstaller executable is basically a python script compiled to run as a Windows PE Executable (EXE), which is becoming a common medium for packaging malware, since it can be compiled to run on different OS platforms such as Windows, MacOS and Linux.

Figure 3.0 Varist Hybrid Analyzer File Analysis Report for Capcut Pro Setup.exe

Using in-house tools such as Varist AVSDK and open-source tools such as pycdc, we are able to extract and decompile the malicious code from the malicious PyInstaller executable as shown in the code snippet below.

Figure 4.0 Code Snippet from Decompiled PyInstaller malware

Looking at the decompiled code, we can see that upon execution, the malware downloads and executes a clean installer of Capcut from hxxps://cdn.discordapp.com/attachments/1137381770573131827/1174000588493684849/capcut_capcutpc_0_1.1.1_installer.exe saved under the file C:\Users\Public\setup.exe. This behavior further lures the user into believing that the downloaded copycat installer is legitimate.

While the clean setup of Capcut is installed, the malware then downloads clean Python libraries and executable from hxxps://bot.khoadang50.repl.co/python.zip into C:\Users\Public\Document\python.zip to be able to execute its initial payload from hxxps://bot.khoadang50.repl.co/bot1.py. This payload is saved to C:\Users\Public\Document\documents.py, which when executed, further downloads and executes malicious Python code from a base64 encoded URL, hxxps://bot.khoadang50.repl.co/mahoa.py, as shown in the code snippet below.

Figure 5.0 Code Snippet of Initial Payload containing Base64 Encoded URL of Final Payload Malware

This behavior, considered as a “Living off the land” (LOTL) technique, is a fileless malware attack technique widely used by cybercriminals to run malware without having to save actual malicious code into the affected system, by using legitimate tools such as the Python interpreter in this case.

The final malware payload is also encoded using Base64, which is commonly used by cybercriminals to evade detection. After decoding the payload, it is executed using the exec function. As shown in the code snippet below, the final malware payload checks for the existence of web browsers such as Chrome, Firefox, Edge, Opera, Brave, CocCoc and Chromium, where it attempts to steal stored user credentials and saves data into an archive file as %temp%\[infected_system_country_code][space][infected_system_ip_address][date_and_time_of_infection].zip

Figure 6.0 Code Snippet of Malicious Python Payload used to steal User Credentials from Browsers

After collecting the stolen credentials, the archived data is sent to the threat actor via Telegram API, which can be identified from the following URL, hxxps://api.telegram.org/bot6316835523:AAEUMb67kUfj4hBW1iFLH86W_B1bhHba4fU/sendDocument as shown below.

Figure 7.0 Code Snippet of Stolen Credential Exfiltration

The exfiltrated data containing the stolen user credentials are sent through Telegram API with a caption containing information from the affected system following the string format in the table below, with the chat_id, -4041864387, which is hard-coded in the initial payload.

Table 1.0 Telegram Message Caption Data Format

Indicators of Compromise

File name/URL  

SHA256/Description  

Varist Detection  

  1024f399ddefa2c1496efc5b06b2faadea4f6f311be141f0cd4b35ea8151c566  URL/Downldr.EH.gen!Eldorado 
CapCut Pro Setup.exe  7da768304a04da20108d5e9cfe25f098fcdf318313cfdca648aa8ca17eae4467  URL/Downldr.EH.gen!Eldorado 
hxxps://bot.khoadang50.repl.co/bot1.py  eb29050c68e19d7782792a2e22ee67c62a151bec97c33284eda002a094e35d84  PY/Stealer.C 
hxxps://bot.khoadang50.repl.co/mahoa.py  7d4fed76166b3d4201152ba490fbe2c0702ee08d9c8ddc1b1475e9909d83742e  PY/Stealer.C 
hxxps://api.telegram.org/bot6316835523:AAEUMb67kUfj4hBW1iFLH86W_B1bhHba4fU/sendDocument  Exfiltration URL   

 

Best Practice and Recommendations

Varist highly recommends keeping your antivirus definitions up to date and always exercise caution when installing applications from untrusted sources. Doing so helps keep your system and devices clear from malware attacks or activity.

The Varist Hybrid Analyzer service demo is now accessible for cybersecurity practitioners to analyze malware samples. Hybrid Analyzer can perform deep analysis of billions of files per day in real time empowers analyst to analyze any file at high speed and low cost. Real-time policy enforcement and incident response just got easier!

December 1, 2023 in Blog

A Duck’s Trail

The Footprint We came across what seems to be a builder as the filename LnkBotBuilder_v4.zip implies. We also assume that it is already on version 4 via the string "v4".…
Read More
November 29, 2023 in Blog

The Duck Who Sneaked Through Feeds

Malicious Facebook Ads Malvertisements are one of many infection vectors that threat actors use. It gives them an advantage to pique the interest of unsuspecting users to fall victim to…
Read More
November 22, 2023 in Blog

Capcut’s Copycat Installs Trojan Stealer

While digging through a malicious document which I was working on earlier this week (SHA256: 1024f399ddef...8151c566), I took interest in a URL flagged as malicious by Varist Hybrid Analyzer as…
Read More