Hackers have used an emerging TikTok trend called ‘Invisible Challenge’ to install the WASP malware on thousands of victim devices to steal their saved passwords, Discord accounts and possibly even any crypto if the victim device has a crypto wallet installed.
The challenge revolves around TikTok’s “Invisible Body” filter, which removes the person’s body from the video and replaces it with a blurry background. The attackers claim to offer software that’ll remove this masking effect and expose the allegedly nude people in the video.
TikTok users @learncyber and @kodibtc made videos supporting these claims, which have been seen by more than one million. They offered this tool on their Discord server called Space Unfilter, which according to researchers over at Checkmarx had about 32,000 members at one point.
Once the victims join the Discord server, a bot named Nadeko sends an automated message pointing to a GitHub repository that hosts the malware. The project files contain a Windows Batch file (.bat) which installs the malicious Python package on execution alongside a read-me file that points to a YouTube video with instructions on installing the unfilter tool.
The attackers used different package names to host these malicious Python packages on PyPI, including “tiktok-filter-api”, “pyshftuler” and “pydesigns”. As old packages get reported and remove, the threat actor acts accordingly and either creates a new identity or simply changes the package name. They’re also using a popular technique called ‘Starjacking’, where the project is linked to a popular GitHub repository to give it a legitimate appearance.
The attack has been so successful so far that the malicious GitHub repository has achieved trending status on GitHub too. The repository has been renamed ‘Nitro-generator’ since and currently has 104 stars and 18 forks, with the latest release delivered 11 days ago.
The attack is still ongoing, and Checkmarx researchers suggest that the trend of cyber criminals using open-source package ecosystems will only go up in 2023. While the malicious repository is still available on GitHub, the server Unfilter Space has been taken down. The threat actor, however, claims to have moved on to another Discord server.