Attackers Abuse TikTok Invisible Challenge to Spread Info Stealer Security Thing

Threat actors are exploiting interest in a popular TikTok challenge called the Invisible Challenge to trick users into downloading information-stealing malware.

Threat actors are exploiting the popularity of a TikTok challenge called the Invisible Challenge to trick users into downloading information-stealing malware, Checkmarx researchers warn.

Those taking part in the “invisibility challenge” had to apply a filter called “invisible bodies,” which removes the bodies of characters from videos in which they pose nude, creating blurred silhouette images.

Experts have discovered that threat actors share TikTok videos with links to fake software called “unfilter,” which claims to remove filters that expose actors’ nudity in TikTok videos.

A TikTok video posted by the threat actor behind the campaign has already racked up over a million views in just a few days. TikTok video posted by TikTok users @learncyber and @kodibtc on Nov 11, 2022.

“Instructions for obtaining ‘unfilter’ software Deploys WASP-stealing malware hidden in malicious Python packages. TikTok video posted by attackers garnered over a million views in just a few days.” Read report published by CheckMarx .

“The GitHub repository hosting the attacker’s code lists GitHub’s top projects of the day. More than 30,000 members So far, Discord servers created by the attackers have been added, and the number continues to increase as the attack progresses. “

In mid-November, Checkmarx discovered an ongoing supply chain attack by a threat actor they tracked as WASP targeting Python developers.

W4SP Stealer was discovered by Checkmarx in mid-November when it was used as part of an ongoing supply chain attack by threat actors targeting Python developers.

The malicious code was able to steal the victim’s Discord account, passwords, encrypted wallets, credit cards, and other sensitive data on the victim’s PC. The stolen data was sent back to the attackers via a hardcoded Discord webhook address.

The threat actor offers the WASP stealer for $20, claiming it is undetectable and “protected with some awesome obfuscation.” The supply chain attacks appear to be financially motivated.

The video included an invitation link to an attacker-controlled Discord server (“Unfilter Space”), which experts reported had 32,000 members join before it was taken down.

Once on board the server, victims receive a link to a GitHub repository hosting the information-stealing malware. The project’s README file also includes a link to a now-deleted YouTube tutorial that instructs users on how to run the installation script.

After the Discord server “Unfilter Space” was taken down, the attacker changed the name of his GitHub repository to 42World69/Nitro-generator and deleted the old files in his repository and uploaded the files to suit Nitro-generator.

This campaign has been linked to other malicious Python packages where information-stealing malware has been embedded, such as ‘tiktok-filter-api’, ‘pyshftuler’, ‘pyiopcs’ and ‘pydesings’.

“The high number of users attempting to join this Discord server and potentially install this malware is concerning.” concludes the report. “As attackers get smarter, so does the level of manipulation used by software supply chain attackers. This attack seems to be continuing, and whenever Python’s security team deletes his package, he quickly improvises And create a new identity, or just use a different name.”

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, TikTok)

Leave a Reply

Your email address will not be published. Required fields are marked *