The WASP (or W4SP) Stealer is being installed on thousands of devices by hackers utilizing the popular Invisible body Challenge on TikTok.
The software has the ability to take data from a victim’s computer as well as Discord accounts, passwords, and credit card information kept in cryptocurrency wallets and browsers.
The Nigerian Communications Commission’s Computer Security Incident Response Team also cautioned country residents from participating in the “Invisible Challenge” on the short-form video hosting platform TikTok since it exposes devices to information-stealing malware.
The Malware Trend On Tiktok
In the most recent TikTok challenge, the person filming it assumes a naked position and uses a unique video effect code – named Invisible Body challenge, promising that the full skin tone would be hidden by a background.
- Attackers have shared links to false software named “unfilter” in TikTok videos, which promises to be able to remove the body-masking feature of the app and reveal users’ private bodies.
- According to Checkmarx researchers, the videos were made by TikTok users who have since been suspended and contained an invite link to the Space Unfilter Discord server.
- The WASP stealer, which is persistent malware hosted on Discord and has a high possibility of causing significant damage, is said to be undetected by its developers per NCC-CSIRT advisory.
These clips had over a million views, and immediately after they were published, one of the threat actor’s Discord servers gathered more than 30,000 users.
How It Operate?
When the victims sign up for the Discord server, a bot user named Nadeko posts a link directing them to a GitHub repository hosting the virus.
- Even though it has subsequently been given a new name, the malicious repository has amassed 103 stars and 18 forks, earning it the rank of a trending GitHub project.
- The project’s files contain a Windows batch file (.bat) that, upon execution, downloads a malicious Python package (WASP downloader), as well as a ReadMe file (requirements.txt), which provides a link to a YouTube instructional that explains how to install the TikTok unfilter tool.
- Python packages hosted on PyPI were utilized by the attackers, including pyshftuler, tiktok-filter-api, pyiopcs, and pydesings, with new ones being uploaded whenever the older packages were discovered and taken down.
Using Github Projects As A Cover
- In order to make their malicious package appear credible, the attackers on PyPI utilize the StarJacking attack technique to link it fraudulently to a respectable and well-known GitHub project.
- Additionally, they plagiarize the description of the genuine package, alter it, and include a modification for WASP installation on the host.
- Once PyPI has identified, detected, and deleted the attackers’ malicious infection line from the Python package, they relocate it to the requirements.txt.
Verdict
The malicious “unfilter” packages in the GitHub repository have been switched out for Nitro generator files, and the attackers’ Discord server has been shut down. But what’s really concerning is how deftly attackers enticed and tricked people into joining the Discord server and potentially downloading malware. Users should exercise caution when obtaining anything from untrusted sites or following social media trends.
A portion of this article was taken directly from cyware.