Monday, December 4, 2023

TikTok’s ‘Invisible Challenge’ Abused by Hackers To Install Dangerous Malware

Cybersecurity analysts at Checkmarx affirmed that a popular TikTok challenge is being used by hackers to trick people into downloading malicious software that steals private information from them.

Currently, the #invisiblefilter tag of this challenge has accumulated over 25 million views and is one of TikTok’s most popular challenges.

Malicious Invisible Challenge in TikTok

Hackers are running this malicious campaign by taking advantage of the Invisible Challenge trend on TikTok. During this challenge, participants are challenged to pose naked by using a special effect that simulates the idea of an invisible body. 

In this effect, a person’s image appears blurred and contoured with a blurring effect. It seems that people have been posting videos of themselves apparently naked but with the filter obscuring the camera lens.

Threat actors have taken advantage of this vulnerability by creating TikTok videos that offer a specially formulated “unfiltering” filter that allegedly removes the body masking effect used by others.

In short, they claim that this new filter will expose the nude bodies of the TikTokers using this trend. But, in reality, this “unfiltering” filter software is a fake tool that installs the following malware on the target system:-

  • WASP Stealer (Discord Token Grabber)

This malware is capable of stealing the following users’ data:-

  • Discord accounts
  • Passwords
  • Saved credit cards on browsers
  • Cryptocurrency wallets
  • Other essential files

Hackers Abusing TikTok Trends

Within a short period of time after these videos were posted, over a million people viewed them. Over 31,000 members are registered on one of the threat actor’s Discord servers.

It was found that the attackers posted two TikTok videos that quickly gathered over a million views between them, each time. It has been detected that [@learncyber] and [@kodibtc] are two users who created promotional videos to promote the malicious software:-

Space Unfilter

The victims receive a link from a bot dubbed “Nadeko” in Discord as soon as they join the server. The link points the user to a GitHub repository that contains malware.

It seems that the malicious GitHub project that has been used in this attack has achieved the status of a “trending GitHub project” because of the success of the attack.

There are currently 103 stars and 18 forks on the project even though it has been renamed since then. 

Technical Analysis

The project files contained a Windows batch file (.bat) that, when executed, installs:- 

  • A malicious Python package (WASP downloader)
  • A ReadMe file 

The ReadMe file contains a link to a YouTube video that offers step-by-step guidance for the victims to install the malicious TikTok “unfilter” software.

There were several Python packages that were used by the hackers in this campaign and all of them are hosted on PyPI . While here below we have mentioned some of the Python packages used by the hackers:-

  • tiktok-filter-api
  • pyshftuler
  • pyiopcs
  • pydesings

As far as the attackers are concerned, the malicious package was used to falsify the GitHub repository associated with its malicious application as follows: 

  • https[:]//

This is however a Python package that belongs to the “requests” module. This is done for the sole purpose of making the package appear popular and legitimate in the eyes of general users.

There is a copy of the original code included in the malicious package. However, there is also a modification that makes it possible for attackers to use the host’s network connections in order to install malware.

There is a high likelihood that this malware will be installed by a large number of users that join the Discord server, and this scenario is highly concerning.

Threat actors have reportedly moved to another server after taking the Discord server “Unfilter Space” offline. Cyber attackers have once again found ways to attack open-source packages, again demonstrating that they are focusing their attention on these ecosystems.


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles