According to new data from Checkmarx, threat actors are taking advantage of a well-known TikTok challenge to lure users into installing malware that steals information. The Invisible Challenge fad is using a filter called Invisible Body that only leaves a silhouette of the user’s body behind.
However, the possibility that people making these films may be nude has given rise to a sinister strategy in which the attackers publish TikTok videos with links to malicious software called “unfilter” that claims to eliminate the applied filters. “Instructions to get the ‘unfilter’ software deploy WASP stealer malware hiding inside malicious Python packages,” Checkmarx researcher Guy Nachshon said.
A malware called the WASP stealer (also known as W4SP Stealer) is made to steal users’ passwords, Discord accounts, cryptocurrency wallets, and other private data. On November 11, 2022, the attackers @learncyber and @kodibtc released videos on TikTok, which are thought to have received over a million views. These accounts have been put on hold.
A Discord server run by the adversary having nearly 32,000 members before being detected and deactivated is also linked in the video as an invite. A link to a GitHub repository that houses the malware is then sent to victims who join the Discord server. After encouraging the new users on Discord to star the project, the attacker changed the project’s name to “Nitro-generator,” but not before it appeared on GitHub’s list of Trending repositories for November 27, 2022.
The threat actor changed the repository’s name in addition to deleting outdated files from the project and uploading new ones. One of the new files even referred to the revised Python code as “open source, not a **VIRUS**.” Now that the GitHub account has been removed. The operators are said to have quickly published new substitutes to the Python Package Index (PyPI) under different names after getting rid of the stealer code, which is said to have been embedded in a number of Python packages, including tiktok-filter-api, pyshftuler, pyiopcs, and pydesings.
“The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever,” Nachshon said. “These attacks demonstrate again that cyber attackers have started to focus their attention on the open source package ecosystem.”