Researchers at Checkmarx, a secure coding company, warning Porn-themed malware that lures and attacks savage Internet users in droves.
Unfortunately, the side effects of this malware are: Filter off or space unfilterIt involves looting data from victims’ computers, including Discord passwords, indirectly exposing victims’ contacts, such as colleagues, friends, and family, to spam and scams from cybercriminals who can now masquerade as people they know.
As mentioned several times before by Naked Security, cybercriminals love passwords for social networking and instant messaging. Because it’s much easier to lure new victims through closed groups than it is to trick people with unsolicited messages through “open to all” channels. Email or SMS:
turn off invisibility
In this case, the scam claims to provide software that can reverse the effects of TikTok. invisible Filters are visual effects that work like green screen or background filters that everyone seems to be using on Zoom calls these days…
…However, parts of the image that are blurry, translucent, or translucent you yourselfrather than the background.
For example, if you put a sheet over your head like a typical comic book ghost and then move like a comic book ghost (select sound effects), the outline of the “ghost” is recognizable, but the background is usually still blurry, but you can see through the outline of the ghost, a fun and interesting effect. to generate.
Unfortunately, the idea of pseudo-invisibility has led to the so-called “TikTok Invisibility Challenge.” Here, TikTok users can film themselves live in various stages of undressing, believing that the transparency filter will work well enough to prevent actual undressing. body shown.
do not be like this. It should be clear that there is little to be gained if it works, but enormously to be lost if something goes wrong.
As you can imagine, this led to sleazy online posts claiming to offer software capable of reversing the effects of the Invisible filter after the video was posted.
It seems that this is the route cybercriminals have taken attack Described by Checkmarkx, the scammers are:
- TikTok promoted their alleged “Unfilter” tool. Shrewd users who wanted the app were lured to the Discord servers to get it.
- You’ve attracted naughty users to your Discord group. The decoy is said to already include “unfiltered” video to “prove” that the software works.
- Enticed users to upvote the GitHub project hosting the “unfilter” code. This made the software appear more reputable and trustworthy than new and unknown GitHub projects usually do.
- Convinced users to download and install a GitHub project. The project’s README file (the official documentation you’ll see when browsing the GitHub page) also appears to contain a link to a YouTube video explaining the installation process.
- It installed several related Python packages that downloaded and executed the final malware. According to Checkmarx, the malware was buried in a legitimate-looking package listed as a so-called supply chain dependency required by a suspected “unfilter” tool. However, the attacker-provided version of the dependency was modified by adding a single line of obfuscated Python code to get the final malware.
Thus, the final malware payload can be modified at will by the crooks by simply changing what is delivered when the fake “unfilter” project is installed.
data stealing malware
As mentioned above, the malware discovered by Checkmarx appears to be a variant of a data-stealing “toolkit” variously known as WASP or W4SP, which is distributed via a poisoned GitHub project.
Often, GitHub-based supply chain attacks rely on well-known, legitimate packages that developers might accidentally download, as well as malicious packages with names that are easily confused, so the purpose of the attack is to infect one or more development computers inside a company. , probably intended to subvert that company’s development process.
That way, scammers can not only force someone else to package the malware by including malware that is included in an official release of software made by a legitimate company (an entirely different kind of malware), but they also usually add a digital signature to the company’s next software update. You can also automatically push from .
This yields classic results. supply chain attackRather than being tricked or enticed into downloading something from someone you’ve never heard of before or from somewhere, it innocently and intentionally pulls malware from someone you already trust.
Learn more about supply chain attacks and how to stop them.
However, in this attack, the criminals appear to be targeting any individual who has installed the fake “unfilter” code, given that “how to install packages from GitHub” videos are not required by developers.
Developers will already be accustomed to using GitHub and installing Python code, and the wrong package to explain something they might have taken for granted might raise their suspicions.
The malware distributed in this incident appears to attack each victim individually, directly extracting sensitive data such as Discord passwords, cryptocurrency wallets, and stored payment card data.
What should I do?
- Do not download and install software just because someone told you to. In this case, the criminals behind the (now closed) GitHub account that created the fake package used social media and fake upvotes to spread artificial rumors around the malicious package. Do your homework yourself. Do not blindly take the words of others you do not know, have never met, and never will be.
- Don’t tell them to give up liking or upvoting beforehand. The person who installed this malware package would not have voted upvotes afterwards because everything turned out to be false after that. By unknowingly providing implicit approval for GitHub projects, you are putting others at risk by allowing malicious packages to gain what appears to be community approval. This is a result that fraudsters cannot easily achieve on their own.
- Remember that otherwise legitimate software can be booby-trapped through installers. This means that the software you think you’re installing is installed, and you’re obviously right at the end of the process. This can lead to a false sense of security with malware implanted as a cryptic side effect of the installation process itself without actually showing up in the installed software. (This serves as a sort of cover story for the attack, as it means that even if you completely remove the legitimate component, the malware remains.)
- One person’s wound is everyone’s wound. Don’t expect much sympathy if your own data has been stolen because you’ve been hunting for a sleazy-sounding app that hopes to turn harmless videos into unintentional porn clips. But don’t expect any sympathy if your recklessness puts your co-workers, friends and family under attack by spammers and scammers who are targeted by criminals who have obtained your messaging or social networking passwords in this way.
Remember: When in doubt/Leave it.
.