Cybersecurity analysts at Checkmarx affirmed that a popular TikTok challenge is being used by hackers to trick people into downloading malicious software that steals private information from them.
Currently, the #invisiblefilter tag of this challenge has accumulated over 25 million views and is one of TikTok’s most popular challenges.
Malicious Invisible Challenge in TikTok
Hackers are running this malicious campaign by taking advantage of the Invisible Challenge trend on TikTok. During this challenge, participants are challenged to pose naked by using a special effect that simulates the idea of an invisible body.Â
In this effect, a person’s image appears blurred and contoured with a blurring effect. It seems that people have been posting videos of themselves apparently naked but with the filter obscuring the camera lens.
Threat actors have taken advantage of this vulnerability by creating TikTok videos that offer a specially formulated “unfiltering” filter that allegedly removes the body masking effect used by others.
In short, they claim that this new filter will expose the nude bodies of the TikTokers using this trend. But, in reality, this “unfiltering” filter software is a fake tool that installs the following malware on the target system:-
- WASP Stealer (Discord Token Grabber)
This malware is capable of stealing the following users’ data:-
- Discord accounts
- Passwords
- Saved credit cards on browsers
- Cryptocurrency wallets
- Other essential files
Hackers Abusing TikTok Trends
Within a short period of time after these videos were posted, over a million people viewed them. Over 31,000 members are registered on one of the threat actor’s Discord servers.
It was found that the attackers posted two TikTok videos that quickly gathered over a million views between them, each time. It has been detected that [@learncyber] and [@kodibtc] are two users who created promotional videos to promote the malicious software:-
Space Unfilter
The victims receive a link from a bot dubbed “Nadeko” in Discord as soon as they join the server. The link points the user to a GitHub repository that contains malware.
It seems that the malicious GitHub project that has been used in this attack has achieved the status of a “trending GitHub project” because of the success of the attack.
There are currently 103 stars and 18 forks on the project even though it has been renamed since then.
Technical Analysis
The project files contained a Windows batch file (.bat) that, when executed, installs:-
- A malicious Python package (WASP downloader)
- A ReadMe file
The ReadMe file contains a link to a YouTube video that offers step-by-step guidance for the victims to install the malicious TikTok “unfilter” software.
There were several Python packages that were used by the hackers in this campaign and all of them are hosted on PyPI . While here below we have mentioned some of the Python packages used by the hackers:-
- tiktok-filter-api
- pyshftuler
- pyiopcs
- pydesings
As far as the attackers are concerned, the malicious package was used to falsify the GitHub repository associated with its malicious application as follows:
- https[:]//github.com/psf/requests
This is however a Python package that belongs to the “requests” module. This is done for the sole purpose of making the package appear popular and legitimate in the eyes of general users.
There is a copy of the original code included in the malicious package. However, there is also a modification that makes it possible for attackers to use the host’s network connections in order to install malware.
There is a high likelihood that this malware will be installed by a large number of users that join the Discord server, and this scenario is highly concerning.
Threat actors have reportedly moved to another server after taking the Discord server “Unfilter Space” offline. Cyber attackers have once again found ways to attack open-source packages, again demonstrating that they are focusing their attention on these ecosystems.
