Hackers Using Trending ‘Invisible Challenge’ TikTok Challenge to Spread Malware

Main / Hackers Using Trending ‘Invisible Challenge’ TikTok Challenge to Spread Malware

Discription

[![TikTok Challenge](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgmYvJ-0YqFhJc1NnMdGBr2ExEPECjYV6qTA9YBIXyAVs067f89dXeYtALNYL03RsBeGiv7Hzg2Ac5x-zRFKtYq71itvJ1tfYApYBOSO-GxYkzE-c5s1M4KFgiZqmlqk40CD5cy80Hga_XZoHvj0Y9J2WepLIyA5vsfVrs1aWZpN6BEwx4oX3pUrEup/s728-e1000/tikto.png)]()

Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx.

The trend, called [Invisible Challenge](), involves applying a filter called [Invisible Body]() that just leaves behind a silhouette of the person’s body.

But the fact that individuals filming such videos could be undressed has led to a nefarious scheme wherein the attackers post TikTok videos with links to rogue software dubbed “unfilter” that purport to remove the applied filters.

“Instructions to get the ‘unfilter’ software deploy [WASP stealer malware]() hiding inside malicious Python packages,” Checkmarx researcher Guy Nachshon [said]() in a Monday analysis.

The WASP stealer (aka W4SP Stealer) is a malware that’s designed to steal users’ passwords, Discord accounts, cryptocurrency wallets, and other sensitive information.

The TikTok videos posted by the attackers, @learncyber and @kodibtc, on November 11, 2022, are estimated to have reached over a million views. The accounts have been suspended.

[![Python Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhqaNkeTOBXFCREFIhAz4YdhUcDILVeJ0uftypFBMyuveJiiLBGguIUJW9mtgXSOFVo0Re0awjarVFYXtmhcP3a342IMCzokSvqek4RhxkLDj3p8aVi0y_iDkJVQBmQOOdq9Vf6gx31OKNZ8X1x7zKb4N4x0-O-5zOfzf9FTqUtoV-UMAHj7KYP5dQK/s728-e1000/tiktok-1.png)]()

[![Python Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhdgkHb46AuLkCAns4e6pbiNt6WuYqHPqHz6-wqIYgYN_z5CylBc3Nc1QExQGZz7RsifbIRWuZDtvbJuhk-uAzsH17COrC4HKAtfOto4026rr_E-y_03di9dxaU6ZP_9fsdjULIdzII3eLKdoRAlaM3Dd7LdFgiperbG4a-XbZMwsWjNi2d3tFZ-xKk/s728-e1000/tiktok-2.png)]()

Also included in the video is an invite link to a Discord server managed by the adversary, which had nearly 32,000 members before it was reported and deleted. Victims joining the Discord server subsequently receive a link to a GitHub repository that hosts the malware.

The attacker has since renamed the project to “Nitro-generator” but not before it landed on GitHub’s [Trending repositories list]() for November 27, 2022, by urging the new members on Discord to [star the project]().

Besides changing the repository name, the threat actor deleted old files in the project and uploaded fresh ones, one of which even [describes]() the Python code as “Its (sic) open source, its not a **VIRUS**.”

The stealer code is said to have been embedded in various Python packages such as “tiktok-filter-api,” “pyshftuler,” “pyiopcs,” and “pydesings,” with the operators swiftly publishing new replacements to the Python Package Index (PyPI) under different names upon getting removed.

“The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever,” Nachshon noted. “These attacks demonstrate again that cyber attackers have started to focus their attention on the open source package ecosystem.”

Found this article interesting? Follow THN on [Facebook](), [Twitter _ï_]() and [LinkedIn]() to read more exclusive content we post.Read More

References

Back to Main

Subscribe for the latest news: