Attackers abused the popular TikTok Invisible Challenge to spread info-stealer

Threat actors are exploiting interest in a popular TikTok challenge, dubbed Invisible Challenge, to trick users into downloading info-stealing malware.

Threat actors are exploiting the popularity of a TikTok challenge, called Invisible Challenge, to trick users into downloading information-stealing malware, Checkmarx researchers warn.

People participating in the Invisible Challenge have to apply a filter called Invisible Body that removes the character’s body from a video, in which they pose naked, making a blurred contour image of it.

The experts spotted threat actors sharing TikTok videos with links to a fake software called “unfilter” that claims to remove TikTok filters on videos revealing the naked body of the actor.

TikTok videos posted by the threat actors behind this campaign have already reached over a million views in just a couple of days. The TikTok videos were posted by the TikTok users @learncyber and @kodibtc on November 11, 2022.

“Instructions to get the “unfilter” software deploy WASP stealer malware hiding inside malicious Python packages. TikTok videos posted by the attacker reached over a million views in just a couple of days.” reads the report published by CheckMarx.

“GitHub repo hosting the attacker’s code listed GitHub’s daily trending projects. Over 30,000 members have joined the Discord server created by the attackers so far and this number continues to increase as this attack is ongoing.”

In Mid November, Checkmarx uncovered an ongoing supply chain attack conducted by a threat actor they tracked as WASP that is targeting Python developers.

The W4SP Stealer was spotted by Checkmarx in Mid November when it was employed as part of an ongoing supply chain attack conducted by a threat actor targeting Python developers.

The malicious code is able to steal the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other sensitive data on the victim’s PC. Stolen data have been sent them back to the attacker through a hard-coded Discord webhook address.

The threat actor is offering the WASP stealer for $20 claiming it is undetectable and is heavily “protected by some awesome obfuscation.” The supply chain attacks seem to be financially motivated.

The video includes an invite link to a Discord server (“Unfilter Space”) under the control of the attackers, the experts reported that 32,000 members have joined the Discord server before it was deleted.

Once joined to the server, the victims received a link to a GitHub repository hosting the info-stealing malware.The README file of the project also contains a link to a now-removed YouTube tutorial instructing users on how to run the installation script.

After the Discord server “Unfilter Space” was deleted the attacker changed his GitHub repository name to 42World69/Nitro-generator and deleted old files on his repo and uploaded files to fit Nitro-generator.

The campaign is linked to other malicious Python packages, the info-stealing malware has been embedded in various Python packages such as “tiktok-filter-api,” “pyshftuler,” “pyiopcs,” and “pydesings.”

“The high number of users tempted to join this Discord server and potentially install this malware is concerning.” concludes the report. “The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever. It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

[adrotate banner=”5″]

[adrotate banner=”13″]