Multiple new malware campaigns have been spotted in which hackers are taking advantage of the recent TikTok bans around the world to deliver infostealers to unsuspecting victims.
Cybersecurity researchers from Cyble recently discovered at least five malicious websites, pretending to offer the installation file for CapCut.
CapCut is the official video editor and video maker for TikTok, the world’s most popular social media platform right now, allowing users to mix music, add color filters, various animations, generate slow-mo effects, add picture-in-picture features, stabilize their videos, and a lot more.
The official TikTok app has more than 500 million downloads on Google’s Play Store, however it is developed by ByteDance, a Chinese software maker, and as such, the app is being heavily scrutinized in the West.
Some countries are claiming the Chinese government might pressure ByteDance into sharing sensitive data with the authorities, thus compromising the privacy of its users. The problem escalated even further in recent weeks, when the US government banned its employees from having the app installed on government-issued mobile devices. Furthermore, countries such as Taiwan, India, and elsewhere, have also issued nationwide bans on the app.
As a result, people are looking for alternative ways to download the app, which is where criminals come in. They created multiple malicious websites, pretending to offer the video editing app for download, but instead are deploying two malware variants: one is the Offx Stealer, and the other one is the RedLine Stealer.
Offx runs on Windows 8, 10, and 11, and when installed, will display an error message to the victim, while continuing to operate in the background. RedLine Stealer is one of the world’s most popular (and infamous) infostealers, allowing threat actors to exfiltrate data stored in web browsers and applications (for example login credentials, credit card information, and similar), as well as cryptocurrency wallet data, and more.
By the time Cyble’s report was made public, all of the discovered domains have been taken offline. However, that doesn’t mean that the attackers simply won’t move their infrastructure elsewhere, so it’s best to be on high alert, especially when downloading apps from non-official sources.