Hackers are abusing a trending Invisible body Challenge on TikTok to install WASP (or W4SP) Stealer on thousands of devices. The malware is capable of stealing Discord accounts, passwords, and credit cards stored on browsers and cryptocurrency wallets, and even files from a victim's computer.

Malware blend in trend

In the latest TikTok challenge, the person filming it poses naked while using a special video effect called Invisible Body challenge, with a claim that the entire skin tone will be camouflaged with a background.
  • Attackers have posted TikTok videos with links to a fake software called ‘unfilter’ that claims to be able to remove TikTok's body masking effect and expose the TikTokers' nude bodies.
  • Checkmarx researchers reported that TikTok users (now-suspended) created the videos with an invite link to join a Discord server named Space Unfilter.

These videos amassed over a million views, combined shortly after being posted with one of the threat actor's Discord servers amassing over 30,000 members.

How does it work?

After joining the Discord server, the victims receive a link posted by a bot account Nadeko pointing to a GitHub repository that hosts the malware.
  • The malicious repository has gained the status of a trending GitHub project, and while it has since been renamed, it currently has 103 stars and 18 forks.
  • Inside the project's files is a Windows batch file (.bat) that installs a malicious Python package (WASP downloader) on execution and a ReadMe file (requirements.txt) that links to a YouTube tutorial instructing users on the installation of the TikTok unfilter tool.
  • The attackers used multiple Python packages hosted on PyPI, including pyshftuler, tiktok-filter-api, pyshftuler, pyiopcs, and pydesings, with new ones added every time the old packages are reported and removed.

Hiding behind GitHub projects

  • The attackers use the StarJacking technique on PyPI, linking their malicious package falsely to a legitimate and popular GitHub project to make it look convincing.
  • Moreover, they steal and modify the legitimate package’s description, and add a modification for installing WASP on the host.
  • Once the attackers’ packages have been caught, reported, and removed by PyPI, they move the malicious infection line from the Python package to the requirements.txt.

Conclusion

The Discord server used by the attackers has been taken offline and the malicious 'unfilter' packages in the GitHub repository have been replaced by Nitro generator files. However, the way attackers cleverly manipulated and tempted victims into joining the Discord server and potentially installing the malware is quite worrisome. Users should be wary while following social media trends and downloading anything from unknown sources.
Cyware Publisher

Publisher

Cyware