Hackers are capitalizing on a trending TikTok challenge named ‘Invisible Challenge’ to install malware on thousands of devices and steal their passwords, Discord accounts, and, potentially, cryptocurrency wallets.
A new and trending TikTok challenge requires you to film yourself naked while using TikTok’s “Invisible Body” filter, which removes the body from the video and replaces it with a blurry background.
This challenge has led to people posting videos of them allegedly naked but obscured by the filter.
To capitalize on this, threat actors are creating TikTok videos that claim to offer a special “unfiltering” filter to remove TikTok’s body masking effect and expose the TikTokers’ nude bodies.
However, this software is fake and installs the “WASP Stealer (Discord Token Grabber)” malware, capable of stealing Discord accounts, passwords and credit cards stored on browsers, cryptocurrency wallets, and even files from a victim’s computer.
These videos received over a million views shortly after being posted, with one of the threat actor’s Discord servers amassing over 30,000 members.
Targeting TikTok trends
In a new report by cybersecurity firm Checkmarx, researchers found two TikTok videos posted by the attackers that quickly amassed over a million views combined.
The now-suspended TikTok users @learncyber and @kodibtc created the videos to promote a software app to “remove filter invisible body” offered on a Discord server named “Space Unfilter.”
The threat actors have since moved this Discord server, but Checkmarx states that they had approximately 32,000 members at one point.
TikTok videos posted by the attackers (Checkmarx)
Once the victims join the Discord server, they see a link posted by a bot pointing to a GitHub repository that hosts the malware.
Discord server used in the attacks (Checkmarx)
This attack has been so successful that the malicious repository has achieved a “trending GitHub project” status, and while it has since been renamed, it currently has 103 stars and 18 forks.
GitHub repository hosting the malware downloader (Checkmarx)
The project files contained a Windows batch file (.bat) that, when executed, installs a malicious Python package (WASP downloader) and a ReadMe file that links to a YouTube video containing instructions on installing the TikTok “unfilter” tool.
Checkmarx analysts discovered that the attackers used multiple Python packages hosted on PyPI, including “tiktok-filter-api”, “pyshftuler”, “pyiopcs,” and “pydesings,” with new ones added every time the old packages are reported and removed.
Also, the attackers use the “StarJacking” technique on PyPI, linking their project to a popular GitHub project they have no association with to make it appear legitimate.
Malicious package on PyPI (Checkmarx)
The malicious package copies the original code but contains a modification for installing WASP malware on the host.
Malicious modification in the code (Checkmarx)
“It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name,” reads the Checkmarx report.
“These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023.”
At the time of writing this, the GitHub repository used by the attacker is still up, but the “TikTok unfilter” packages have been replaced by “Nitro generator” files.
The Discord server “Unfilter Space” was taken offline, with the threat actors claiming to have moved to another server.
Source: BleepingComputer, Bill Toulas