Site icon Sophos News

TikTok “Invisible Challenge” porn malware puts us all at risk

Researchers at secure coding company Checkmarx have warned of porn-themed malware that’s been attracting and attacking sleazy internet users in droves.

Unfortunately, the side-effects of this malware, dubbed Unfilter or Space Unfilter, apparently involve plundering data from the victim’s computer, including Discord passwords, thus indirectly exposing the victim’s contacts – such as colleagues, friends and family – to spams and scams from cybercriminals who can now pose as someone those people know.

As we’ve mentioned many times before on Naked Security, cybercriminals love social networking and instant messaging passwords because it’s a lot easier to draw new victims in via a closed group than it is to con people using unsolicited messages over “open to all” channels such as email or SMS:

https://nakedsecurity.sophos.com/2022/02/28/instagram-scammers-as-busy-as-ever-passwords-and-2fa-codes-at-risk/

The uninvisibility decloak

The scam in this case claims to offer software that can reverse the effects of TikTok’s Invisible filter, which is a visual effect that works a bit like the green screen or background filter that everyone seems to use these days in Zoom calls…

…except that the part of the image that’s blurred or made semi-transparent or translucent is you yourself, rather than the background.

If you put a sheet over your head, for example, like an archetypal comic book ghost, and then move around in a comic book ghost-like fashion (sound effects optional), the outline of the “ghost” will be discernible, but the background will typically still be vaguely, if blurrily, visible through the ghost’s outline, creating an amusing and intriguing effect.

Unfortunately, the idea of being pseudo-invisible has led to the so-called “TikTok Invisibility challenge”, where TikTok users are dared to film themselves live in various stages of undress, trusting in the Invisible filter to work well enough to stop their actual body being shown.

Don’t do this. It should be obvious that there’s very little to be gained if it works, but an awful lot to lose (and not merely your dignity) if something goes wrong.

As you can probably imagine, this has led to sleazy online posts claiming to offer software that can reverse the effects of the Invisible filter after a video has been published, thus allegedly turning otherwise innocent-looking videos into NSFW porn clips.

That seems to be exactly the path that cybercriminals took in the attack outlined by Checkmarkx, where the crooks:

The final malware payload, obviously, could therefore be modified at will by the crooks by simply changing what gets served up when the bogus “unfilter” project is installed:

Fragment of decoded install-time downloader code from Checkmarx report.

Data stealing malware

As mentioned above, the malware seen by Checkmarx seems to have been a variant of a data stealing “toolkit” variously known as WASP or W4SP that is disseminated via poisoned GitHub projects, and that budding cybercriminals can buy into for as little as $20.

Often, GitHub-based supply chain attacks rely on malicious packages with names that are easily confused with well-known, legitimate packages that developers might download by mistake, and the aim of the attack is therefore to poison one or more development computers inside a company, perhaps in the hope of subverting that company’s development process.

That way, the crooks hope to end up with malware (perhaps a completely different strain of malware) embedded into the official releases of software created by a legitimate company, thus not only getting someone else to package up their malware, but typically also to add a digital signature to it, and perhaps even to push it out automatically in the company’s next software update.

This results in a classic supply-chain attack, where you innocently and intentionally pull down malware from someone you already trust, instead of having to be tricked or cajoled into downloading it from someone or somewhere you’ve never heard of before.


LEARN MORE ABOUT SUPPLY-CHAIN ATTACKS AND HOW TO STOP THEM

https://nakedsecurity.sophos.com/2021/10/25/becybersmart-2021-supply-chain-attacks/

In this attack, however, the criminals seemed to be targeting any and all individuals who installed the fake “unfilter” code, given that a “how to install packages from GitHub” video would be unnecessary for developers.

Developers would already be familiar with using GitHub and installating Python code, and might even have their suspicions increased by a package that went out of its way to state something that they would have considered obvious.

The malware unleashed in this case appears to have been intended to attack each victim individually, directly seeking out valuable data including Discord passwords, cryptocurrency wallets, stored payment card data, and more.

What to do?

Remember: If in doubt/Leave it out.


Exit mobile version