- Attackers post TikTok videos with links to a fake software called “unfilter” that claims to be able to remove TikTok filters to reveal naked TikTokers.
- Instructions to get the “unfilter” software deploy WASP stealer malware hiding inside malicious Python packages.
- TikTok videos posted by the attacker reached over a million views in a few days and the GitHub repo hosting the attacker’s code is listed on GitHub’s daily trending projects.
Hackers are trying all possible methods to steal internet users’ passwords, accounts, and cryptocurrency wallets. One of the latest tactics is to trick users to reverse a popular TikTok filter. The new popular TikTok challenge, named Invisible Challenge, removes the naked body parts from the video and replaces them with a blurry background. Users participating in the challenge are recording videos naked, and the filter obscures their bodies.
The naked truth
Hackers are posting fake videos on TikTok that claims that there is a solution, which reverses the invisible body filter and exposes the nude videos of TikTok users. As you can guess, it is a malware called WASP Stealer that is capable of stealing Discord accounts, passwords, and credit cards stored on browsers, cryptocurrency wallets, and files.
Hackers are sharing Discord links to spread the malware. One of those Discord servers has more than 32,000 members. When a new user joins these servers, a bot sends a link to the user. The link leads to a GitHub repository, which hosts the malware. With the popularity of the trend, the malicious repository managed to achieve trending GitHub project status. It is now renamed and has 103 stars and 18 forks.
The .bat file installs the WASP downloader when executed. The files also come with a ReadMe file, including a link to a YouTube video that shows the instructions for the fake TikTok unfilter tool. The Discord server has been shut down but hackers are probably already switched to a new server and trying to spread the malware. Checkmarx said,
« The high number of users tempted to join this Discord server and potentially install this malware is concerning. The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever. It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name. These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023. »