- A fake photo tool ranked high in search results tricks users into running malware via ClickFix tactics
- Victims are first infected with CastleLoader, which then deploys the NetSupport RAT and a customized CastleStealer
- The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise
A website that promises to remove backgrounds from selfie photos is actually just dropping info-stealing malware on people’s computers, security researchers say.
Cyber security experts at Huntress outlined how they discovered a website which, through SEO poisoning, managed to work its way to the top of search engine results pages. Therefore, when people search for background removal tools, there’s a good chance they’ll land on this particular, malicious website.
When they upload their photos to this service, they are not really processed. Nothing is uploaded or shared in any way. However, the site then asks the user to “verify they are human” by opening the Windows Run program and pasting a command that was copied to their clipboard.
CastleLoader, CastleStealer and NetSupport RAT
In typical ClickFix fashion, the attackers actually require victims to run the malware themselves, first infecting their devices with CastleLoader. This is the main loader used to deliver additional payloads.
Through CastleLoader, malicious actors can then deploy stage 2 malware, including the NetSupport RAT and CastleStealer.
The former is a remote access trojan (RAT) that gives attackers remote access to infected systems, while the latter is a custom .NET thief that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files.
“What started with someone potentially trying to remove the background from a selfie ended up with a custom .NET thief rifling through their browser passwords, crypto wallet vaults and Telegram session, plus a NetSupport RAT dropped on disk for follow-up access,” Huntress explained.
ClickFix attacks can be mitigated through education – users should know that no legitimate service will ask users to verify that they are not a bot with activity on the device (such as running a program locally). Alternatively, administrators can disable the Win + R shortcut for Run, making it less likely that victims will actually run the malicious code.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
