Attackers lure users to install malware via TikTok challenge

Bad actors are taking advantage of a popular TikTok challenge in an attempt to trick users into downloading malware, according to new research from security firm Checkmarx.

The “Invisible Challenge” is when a person poses naked while using a special effect called “Invisible Body,” which makes a blurred contour image of the person’s body, according to a Nov. 28 Checkmarx blog post. The challenge had more than 25 million views for the #invisiblefilter hashtag, noted Checkmarx.

Perhaps appealing to the more prurient curiosity of users on the platform, two TikTok accounts (@learncyber and @kodibtc) posted videos with links to join a Discord server with fake software that claims to be able to remove the filter. Visitors will find a NSFW video claiming to be the result of the software as proof of its authenticity, along with install links for the WASP stealer malware “hiding inside malicious Python packages.” Nearly 32,000 people had joined the Discord server when the Checkmarx researchers posted their report.

Additionally, a bot account sent private messages to users with a request to “star” a GitHub repository for an open-source tool that removes the video effect, the Checkmarx post said. That project, named “420World69/Tiktok-Unfilter-Api,” gained trending status on GitHub.

Checkmarx researchers said the campaign is linked to other malicious Python packages and are keeping track of new updates since they consider it an ongoing attack. The attackers’ packages have been removed, but they quickly improvise and create a new identity or name when the Python security team deletes the malicious packages.

“These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem,” concluded researchers Guy Nachshon and Tal Folkman. “We believe this trend will only accelerate in 2023.”