Hackers are using a popular TikTok challenge, known as “Invisible Body”, to spread WASP malware and steal data.
TikTok challenge is used to spread Infostealer malware
Malicious actors are using the TikTok “Invisible Body” challenge to spread WASP infostealer malware.
TikTok’s “Invisible Body” challenge involves using a filter to block out a user’s body features and display only their silhouette. The silhouette is then matched to the background of the video, almost giving the impression of being invisible. The #invisiblefilter tag on TikTok has over 25 million views, making the trend undoubtedly popular.
While the “Invisible Body” trend itself is harmless enough, it’s now being used by creators to film themselves naked, with the filter obscuring their bodies from viewers.
Attackers take advantage of the lure of “defiltering” these nude videos to spread WASP malware. The hacker will post a fake video claiming to have removed the filter using software, exposing the naked body of the creator in question. This is designed to pique the interest of some people who want to use the software to defilter TikTok videos themselves.
Discord used to spread malware
The aforementioned invite link leads to a Discord server named “Space Unfilter”, where users can allegedly download the filter removal software. When someone joins the server, they receive a message from a bot account containing a link to a GitHub repository. This repository hosts the WASP malware, which is hidden in a malicious Python package.
In a Average blog post, Checkmarx researcher Guy Nachshon wrote that the attacker initially used a malicious package known as “pyshftuler”, but then “uploaded a new malicious package under a different name” once the initial package had been identified and removed by PyPi (Python Package Index). However, the new package, “pyiopcs”, was also flagged and removed.
After repeatedly deleting his package, the attacker then decided to use “a malicious Python package listed in the requirements.txt file”. Checkmarx tracks package updates made by this attacker. Each time the attacker’s malicious package is removed, it simply uses a different account name to more effectively evade detection.
Different types of data targeted by WASP Infostealer
The WASP infostealer malware targets many types of data, including credit card details, login credentials, and even cryptocurrency wallets. For example, a victim’s Discord login credentials can be stolen or their payment information can be used to conduct transactions under their name.
In the previously mentioned Medium post, Nachshon said that “the level of manipulation used by software supply chain attackers is increasing as attackers get smarter.” So it looks like software supply chain attacks will continue to be a security concern as the methods become more sophisticated over time.
TikTok is repeatedly used to spread malware
This is by no means the first time that TikTok has been used to spread malware and carry out scams. This app is incredibly popular and also appeals to many young people who are unfamiliar with online safety. Social media platforms are often used to scam unknowing victims, whether for data, money, or account control. That’s why it’s important to always be on your toes online.
