Tech

Hacker Exploits TikTok’s ‘Invisible Body’ Challenge

Published

1 year ago

December 3, 2022

Hacker Exploits TikTok's 'Invisible Body' Challenge

(CTN News) – A trending TikTok challenge, called the ‘Invisible Challenge,’ has been used by hackers to install malware on thousands of devices. This is what allows them to steal passwords, Discord accounts, and, potentially, cryptocurrency wallets from users.

As part of a new and trending TikTok challenge, users are required to film themselves naked in a TikTok video while using the “Invisible Body” filter, which removes the body from the video and replaces it with a blurry background in place of the body.

It has led to people posting videos of themselves in which they appear to be naked, but they are obscured by the filter.

Threat actors are trying to capitalize on this by creating TikTok videos that claim to offer a special “unfiltering” filter that will remove TikTok’s body masking effect, as well as expose the naked bodies of TikTokers.

As a result, this software is fake, and in fact it installs malware called “WASP Stealer (Discord Token Grabber)”, which has the ability to steal Discord accounts, passwords, credit cards, cryptocurrency wallets, and even files on a victim’s computer.

Within a short period of time after these videos were posted, they received over a million views, with one of the threat actors’ Discord servers accumulating over 30,000 members.

The TikTok trend needs to be targeted

Researchers at cybersecurity firm Checkmarx have discovered that the attackers posted two TikTok videos that quickly gathered a total of over a million views combined in a media report.

Currently suspended TikTok users @learncyber and @kodibtc created the videos in an attempt to promote an app that can “remove filter invisible bodies” on a Discord server with the name “Space Unfilter,” which is being offered on the server.

At one point, there were approximately 32,000 members on the Discord server run by the threat actors. Checkmarx notes that the threat actors have since moved to this server.

As soon as the victims join the Discord server, they are greeted by a link posted by a bot pointing to a GitHub repository where the malware is stored.

As a result of this attack, the malicious repository has achieved “trending GitHub project” status, and while it has since been renamed, the malicious repository currently has 103 stars and 18 forks.

A Windows batch file (.bat) contained in the project files was used to install a malicious Python package (WASP downloader) and a ReadMe file that linked to a YouTube video that contained instructions on how to install the TikTok “unfilter” tool after executing the batch file.

As a result of Checkmarx analysts’ analysis, they discovered that the attackers were using multiple Python packages hosted on PyPI, including “tiktok-filter-api”, “pyshftuler”, “pyiopcs,” and “pydesings,” with updated ones being added every time the old packages were reported and removed.

Furthermore, the attackers are using the “Star Jacking” technique on PyPI to make their project appear legitimate, as they link it to a popular GitHub project that they have no affiliation with in order to fool the user into thinking it is legit.

This malicious package is a copy of the original code but contains a modification that can be used to install WASP malware on the host system.

“This attack seems to be ongoing, and when the security team at Python deletes his packages, he quickly improvises and creates a false identity or simply uses a different name to evade detection,” states the Check marx report about the vulnerability.

As a consequence, these attacks highlight the fact that cyber attackers are now focusing their attention on the open-source package ecosystem; we believe this trend will only accelerate in 2023 as well.”

Currently, at the time of writing this article, the GitHub repository that was used by the attacker is still available, but the “TikTok unfilter” packages have been replaced by “Nitro generator” files.

A Discord server called “Unfiltered Space” has been taken offline, with the threat actors claiming they have moved to another server after the server was taken offline.