A recent trend uncovered by Checkmarx on TikTok involves the usage of an “Invisible Body” filter that requires users to be in a state of undress in order to have their bodies removed from the image and replaced with a blur. In response, threat actors created their own TikTok videos claiming to have created a program that would allow users to remove the Invisible Body filter with a link to a GitHub repository. Rather than the promised software, the repository contains a malware installer. The installation instructions instruct users to execute the included “.bat” file, which installs a malicious Python package from PyPI that contains the WASP stealer malware.
The malicious packages are actively being reported and removed from PyPI, but continue to be re-uploaded under new names and accounts. The PyPI packages used by the threat actors employ a technique called “StarJacking” in which they link their malicious PyPI package to popular GitHub repositories. This causes the PyPI package web page to display the statistics of a legitimate GitHub repository, giving the malicious PyPI package the appearance of legitimacy. At this time, the GitHub repository containing the malware installer is still active but has been renamed from “TikTok unfilter” to “Nitro generator”.
Analyst Notes
The report released by Checkmarx in regards to this attack states: “These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023.”
When installing any software from open-source resources such as PyPI or GitHub, it is crucial to be skeptical and to perform due diligence by doing things like reviewing the code base, ensuring proper spelling of packages to avoid typosquatting, verifying GitHub statistics on PyPI packages, searching the internet for 3rd party references to the desired software, and using official OS packaging systems instead of open-source packaging systems whenever possible.
https://www.bleepingcomputer.com/news/security/tiktok-invisible-body-challenge-exploited-to-push-malware/
