Jump to content
  • TikTok ‘Invisible Body’ challenge exploited to push malware

    alf9872000

    • 506 views
    • 3 minutes
     Share


    • 506 views
    • 3 minutes

    Hackers are capitalizing on a trending TikTok challenge named 'Invisible Challenge' to install malware on thousands of devices and steal their passwords, Discord accounts, and, potentially, cryptocurrency wallets.

     

    A new and trending TikTok challenge requires you to film yourself naked while using TikTok's "Invisible Body" filter, which removes the body from the video and replaces it with a blurry background.

     

    This challenge has led to people posting videos of them allegedly naked but obscured by the filter. 

     

    To capitalize on this, threat actors are creating TikTok videos that claim to offer a special "unfiltering" filter to remove TikTok's body masking effect and expose the TikTokers' nude bodies.

     

    However, this software is fake and installs the "WASP Stealer (Discord Token Grabber)" malware, capable of stealing Discord accounts, passwords and credit cards stored on browsers, cryptocurrency wallets, and even files from a victim's computer.

     

    These videos received over a million views shortly after being posted, with one of the threat actor's Discord servers amassing over 30,000 members.

    Targeting TikTok trends

    In a new report by cybersecurity firm Checkmarx, researchers found two TikTok videos posted by the attackers that quickly amassed over a million views combined.

     

    The now-suspended TikTok users @learncyber and @kodibtc created the videos to promote a software app to "remove filter invisible body" offered on a Discord server named "Space Unfilter."

     

    The threat actors have since moved this Discord server, but Checkmarx states that they had approximately 32,000 members at one point.

     

    unfilter-videos.jpg

    TikTok videos posted by the attackers (Checkmarx)

     

    Once the victims join the Discord server, they see a link posted by a bot pointing to a GitHub repository that hosts the malware.

     

    discord(1).png

    Discord server used in the attacks (Checkmarx)

     

    This attack has been so successful that the malicious repository has achieved a "trending GitHub project" status, and while it has since been renamed, it currently has 103 stars and 18 forks.

     

    github.png

    GitHub repository hosting the malware downloader (Checkmarx)

     

    The project files contained a Windows batch file (.bat) that, when executed, installs a malicious Python package (WASP downloader) and a ReadMe file that links to a YouTube video containing instructions on installing the TikTok "unfilter" tool.

     

    Checkmarx analysts discovered that the attackers used multiple Python packages hosted on PyPI, including "tiktok-filter-api", "pyshftuler", "pyiopcs," and "pydesings," with new ones added every time the old packages are reported and removed.

     

    Also, the attackers use the "StarJacking" technique on PyPI, linking their project to a popular GitHub project they have no association with to make it appear legitimate.

     

    pypi.png

    Malicious package on PyPI (Checkmarx)

     

    The malicious package copies the original code but contains a modification for installing WASP malware on the host.

     

    malicious-mod.png

    Malicious modification in the code (Checkmarx)

     

    "It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name," reads the Checkmarx report.

     

    "These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023."

     

    At the time of writing this, the GitHub repository used by the attacker is still up, but the "TikTok unfilter" packages have been replaced by "Nitro generator" files.

     

    The Discord server "Unfilter Space" was taken offline, with the threat actors claiming to have moved to another server.

     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...