Threat actors are exploiting a new TikTok trend called "Invisible Challenge" to infect the devices of unsuspecting users with malware that can steal their private information.
In the trend, people film themselves naked while using a special video effect called "Invisible Body". This removes the person's body from the video, leaving a blurred contour image. The challenge's hashtag #invisiblefilter has amassed over 25 million views.
According to a report by cybersecurity firm Checkmarx, TikTok users @learncyber and @kodibtc are capitalizing on this trend by posting videos that promote an application that can allegedly remove the TikTok filters and expose people’s naked bodies. Their videos include an invite link to a certain Discord server that had the software.
Once the user clicks the link and joins the Discord server, they are then sent to a page that displays naked videos of people that are allegedly the result of using the unfiltering software. They will also receive a message from a bot account that asks them to open and bookmark a GitHub repository.
This repository advertises itself as an open-source tool that can remove the invisible body filter on TikTok. It has 103 stars and 17 forks, and has even become a "trending GitHub project." Inside the repository, however, is a malicious Python package that deploys the WASP Stealer malware, which is capable of stealing Discord accounts, cryptocurrency wallets, passwords and credit cards stored on browsers and even a victim's files.
Checkmarx notes that the attack is ongoing, and if the malicious Python packages are removed, the attacker simply creates a new identity or uses a different name.
As of this writing, the attackers' GitHub repository is still up, but "TikTok unfilter" packages have been replaced by "Nitro generator" files. The Discord server, on the other hand, has been taken offline, but the threat actor claims that they have moved to a new server. The aforementioned TikTok usernames also no longer appear in search results.
"These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023," Checkmarx concludes.