Categories: Cyber Security News

TikTok’s ‘Invisible Challenge’ Abused by Hackers To Install Dangerous Malware

Cybersecurity analysts at Checkmarx affirmed that a popular TikTok challenge is being used by hackers to trick people into downloading malicious software that steals private information from them.

Currently, the #invisiblefilter tag of this challenge has accumulated over 25 million views and is one of TikTok’s most popular challenges.

Malicious Invisible Challenge in TikTok

Hackers are running this malicious campaign by taking advantage of the Invisible Challenge trend on TikTok. During this challenge, participants are challenged to pose naked by using a special effect that simulates the idea of an invisible body. 

In this effect, a person’s image appears blurred and contoured with a blurring effect. It seems that people have been posting videos of themselves apparently naked but with the filter obscuring the camera lens.

Threat actors have taken advantage of this vulnerability by creating TikTok videos that offer a specially formulated “unfiltering” filter that allegedly removes the body masking effect used by others.

In short, they claim that this new filter will expose the nude bodies of the TikTokers using this trend. But, in reality, this “unfiltering” filter software is a fake tool that installs the following malware on the target system:-

  • WASP Stealer (Discord Token Grabber)

This malware is capable of stealing the following users’ data:-

  • Discord accounts
  • Passwords
  • Saved credit cards on browsers
  • Cryptocurrency wallets
  • Other essential files

Hackers Abusing TikTok Trends

Within a short period of time after these videos were posted, over a million people viewed them. Over 31,000 members are registered on one of the threat actor’s Discord servers.

It was found that the attackers posted two TikTok videos that quickly gathered over a million views between them, each time. It has been detected that [@learncyber] and [@kodibtc] are two users who created promotional videos to promote the malicious software:-

Space Unfilter

The victims receive a link from a bot dubbed “Nadeko” in Discord as soon as they join the server. The link points the user to a GitHub repository that contains malware.

It seems that the malicious GitHub project that has been used in this attack has achieved the status of a “trending GitHub project” because of the success of the attack.

There are currently 103 stars and 18 forks on the project even though it has been renamed since then. 

Technical Analysis

The project files contained a Windows batch file (.bat) that, when executed, installs:- 

  • A malicious Python package (WASP downloader)
  • A ReadMe file

The ReadMe file contains a link to a YouTube video that offers step-by-step guidance for the victims to install the malicious TikTok “unfilter” software.

There were several Python packages that were used by the hackers in this campaign and all of them are hosted on PyPI . While here below we have mentioned some of the Python packages used by the hackers:-

  • tiktok-filter-api
  • pyshftuler
  • pyiopcs
  • pydesings

As far as the attackers are concerned, the malicious package was used to falsify the GitHub repository associated with its malicious application as follows: 

  • https[:]//github.com/psf/requests

This is however a Python package that belongs to the “requests” module. This is done for the sole purpose of making the package appear popular and legitimate in the eyes of general users.

There is a copy of the original code included in the malicious package. However, there is also a modification that makes it possible for attackers to use the host’s network connections in order to install malware.

There is a high likelihood that this malware will be installed by a large number of users that join the Discord server, and this scenario is highly concerning.

Threat actors have reportedly moved to another server after taking the Discord server “Unfilter Space” offline. Cyber attackers have once again found ways to attack open-source packages, again demonstrating that they are focusing their attention on these ecosystems.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago