- Fake photo tool ranking high in search results tricks users into running malware using ClickFix tactics
- Victims are first infected with CastleLoader, which then deploys NetSupport RAT and a custom CastleStealer.
- The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise.
A website that promises to remove backgrounds from selfie photos is actually simply dropping malware to steal information on people’s computers, security researchers say.
Cybersecurity experts at Huntress described how they discovered a website that, through SEO poisoning, managed to reach the top of search engine results pages. Therefore, when people search for background removal tools, they are very likely to land on this particular malicious site.
When you upload your photos to this service, they are not actually processed. Nothing is uploaded or shared in any way. However, the site then asks the user to “verify that you are human” by opening the Windows Run program and pasting a command that was copied to their clipboard.
CastleLoader, CastleStealer and NetSupport RAT
In typical ClickFix fashion, attackers require victims to execute the malware themselves, first infecting their devices with CastleLoader. This is the main charger that is used to deliver additional payloads.
Through CastleLoader, bad actors can deploy stage two malware, including NetSupport RAT and CastleStealer.
The first is a Remote Access Trojan (RAT) that grants attackers remote access to infected systems, while the second is a custom .NET stealer that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files.
“What started as someone potentially trying to remove the background from a selfie ended with a custom .NET thief going through your browser passwords, crypto wallet vaults, and Telegram session, as well as a NetSupport RAT placed on disk for tracking access,” Huntress explained.
ClickFix attacks can be mitigated through education: users should know that no legitimate service will ask them to verify that they are not a bot with activity on the device (for example, by running a program locally). Alternatively, administrators can disable the Win + R shortcut to Run, making victims less likely to execute malicious code.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
