Hackers are leveraging a trending TikTok challenge dubbed the “Invisible Challenge” to install malware on thousands of devices and steal their passwords, Discord accounts and, potentially, their cryptocurrency wallets.
A trending new TikTok challenge requires you to film yourself naked while using TikTok’s “Invisible Body” filter, which removes the body from the video and replaces it with a blurred background.
This challenge has led to people posting videos of themselves allegedly naked but masked by the filter.
To take advantage of this, threat actors create TikTok videos that claim to offer a special “unfiltered” filter to remove TikTok’s body masking effect and expose TikTokers’ naked bodies.
However, this software is bogus and installs the Malware “WASP Stealer (Discord Token Grabber)”capable of stealing Discord accounts, passwords and credit cards stored on browsers, cryptocurrency wallets and even files on a victim’s computer.
These videos received over a million views shortly after posting, with one of the menacing actor’s Discord servers amassing over 30,000 members.
Target TikTok trends
In a new report from cybersecurity firm Checkmarx, researchers found two TikTok videos posted by the attackers that quickly racked up more than a million combined views.
Now-suspended TikTok users @learncyber and @kodibtc created the videos to promote a software application to “remove invisible body from filter” offered on a Discord server named “Space Unfilter”.
Threat actors have since moved that Discord server, but Checkmarx says they had around 32,000 members at one point.
Once victims join the Discord server, they see a link posted by a bot pointing to a GitHub repository that hosts the malware.
This attack was so successful that the malicious repository achieved “trending GitHub project” status, and although it has since been renamed, it currently has 103 stars and 18 forks.
The project files contained a Windows batch file (.bat) which when executed installs a malicious Python package (WASP downloader) and a Readme file which links to a YouTube video with instructions on installing the TikTok’s “unfilter” tool.
Checkmarx analysts found attackers were using multiple Python packages hosted on PyPI, including “tiktok-filter-api”, “pyshftuler”, “pyiopcs” and “pydesings”, with new ones added whenever older packages are reported and deleted.
Additionally, the attackers use the “StarJacking” technique on PyPI, linking their project to a popular GitHub project they have no association with to make it appear legit.
The malicious package copies the original code but contains a modification for installing the WASP malware on the host.
“It looks like this attack is in progress, and every time Python’s security team removes its packages, it quickly improvises and either creates a new identity or just uses a different name,” reads the Checkmarx report.
“These attacks demonstrate once again that cyber attackers have begun to focus their attention on the ecosystem of open source packages; we believe this trend will only accelerate in 2023.”
As of this writing, the GitHub repository used by the attacker is still active, but the “TikTok unfilter” packages have been replaced with “Nitro generator” files.
The “Unfilter Space” Discord server has been taken offline, with threat actors claiming to have moved to another server.