- A fake photo tool ranked high in search results tricks users into running malware via ClickFix tactics
- Victims first get infected with CastleLoader, which then deploys NetSupport RAT and a custom CastleStealer
- The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise
A website promising to remove backgrounds from selfie photos is actually just dropping infostealing malware on people’s computers, security researchers are saying.
Cybersecurity experts at Huntress outlined how they discovered a website which, through SEO poisoning, managed to work its way to the top of search engine results pages. Therefore, when people search for background removal tools, there is a good chance they’ll land on this particular, malicious site.
When they upload their photos to this service, it doesn’t really get processed. Nothing gets uploaded or shared in any way. However, the site then requests the user to “verify they’re human” by opening up the Windows Run program and pasting a command that was copied onto their clipboard.
CastleLoader, CastleStealer, and NetSupport RAT
In typical ClickFix fashion, the attackers actually demand the victims to run malware themselves, first infecting their devices with CastleLoader. This is the main loader that is used to deliver additional payloads.
Through CastleLoader, the miscreants can then deploy stage-two malware, including NetSupport RAT, and CastleStealer.
The former is a remote access trojan (RAT) which grants the attackers remote access to infected systems, while the latter is a custom .NET stealer that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files.
“What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords, crypto wallet vaults, and Telegram session, plus a NetSupport RAT dropped on disk for follow-up access,” Huntress explained.
ClickFix attacks can be mitigated through education – users should know that no legitimate service will ask users to verify they’re not a bot with on-device activity (such as, running a program locally). Alternatively, admins can disable the Win + R shortcut for Run, making it less likely for the victims to actually run the malicious code.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-2560-80.jpg
Source link
