According to Checkmarx research, threat actors are using a popular TikTok challenge as a way to trick users into downloading information-stealing software.
This trend is called Invisible Challenge and involves using a filter called Invisible Body which leaves only a silhouette of the person.
However, the possibility that users in such videos may be undressed led to a nefarious scheme in which attackers post TikTok clips with links to rogue software called “unfilter”, that claims to remove applied filters.
“Instructions to get the ‘unfilter’ software deploy WASP stealer malware hiding inside malicious Python packages,” Checkmarx researcher Guy Nachshon said in a Monday analysis.
WASP Stealer (also known as W4SP Stealer), is malware designed to steal passwords, Discord accounts, and cryptocurrency wallets.
The TikTok videos of the attackers @learncyber, and @kodibtc on November 11, 2022, were viewed over one million times. Their accounts have now been removed.
The video also contains an invitation link to a Discord server that the adversary managed. This server had almost 32,000 members before it got reported and was deleted. After joining the Discord server, victims received a link that took them to a GitHub repository that hosts the malware.
Since then, the attacker has renamed it to “Nitro generator” but not before it landed in GitHub’s Trending repository lists for November 27, 2022. He also urged Discord members to star the project.
The threat actor also changed the repository name and uploaded new files to the project. They even described the updated Python source code as “Its open-source, its not an **VIRUS **.”.” The GitHub account has now been removed.
The stealer code was embedded in several Python packages like “tiktok filter-api,”” “pyshftuler,” and “pydesings,” with operators publishing replacements to the Python Package Index (“PyPI”) under different names after being removed.
Nachshon noted:
The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever. These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem.