'What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords': Experts warn that free image editor tool could actually be dangerous malware

News
By published

Background removal services are being used in ClickFix attacks

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • A fake photo tool ranked high in search results tricks users into running malware via ClickFix tactics
  • Victims first get infected with CastleLoader, which then deploys NetSupport RAT and a custom CastleStealer
  • The campaign highlights how SEO poisoning and social engineering can turn simple tasks into credential theft and remote compromise

A website promising to remove backgrounds from selfie photos is actually just dropping infostealing malware on people’s computers, security researchers are saying.

Cybersecurity experts at Huntress outlined how they discovered a website which, through SEO poisoning, managed to work its way to the top of search engine results pages. Therefore, when people search for background removal tools, there is a good chance they’ll land on this particular, malicious site.

When they upload their photos to this service, it doesn’t really get processed. Nothing gets uploaded or shared in any way. However, the site then requests the user to “verify they’re human” by opening up the Windows Run program and pasting a command that was copied onto their clipboard.

Latest Videos From

CastleLoader, CastleStealer, and NetSupport RAT

In typical ClickFix fashion, the attackers actually demand the victims to run malware themselves, first infecting their devices with CastleLoader. This is the main loader that is used to deliver additional payloads.

Through CastleLoader, the miscreants can then deploy stage-two malware, including NetSupport RAT, and CastleStealer.

The former is a remote access trojan (RAT) which grants the attackers remote access to infected systems, while the latter is a custom .NET stealer that targets browser credentials, crypto wallet data, Discord tokens, and Telegram session files.

“What started as someone potentially trying to remove the background from a selfie ended with a custom .NET stealer rifling through their browser passwords, crypto wallet vaults, and Telegram session, plus a NetSupport RAT dropped on disk for follow-up access,” Huntress explained.

ClickFix attacks can be mitigated through education - users should know that no legitimate service will ask users to verify they’re not a bot with on-device activity (such as, running a program locally). Alternatively, admins can disable the Win + R shortcut for Run, making it less likely for the victims to actually run the malicious code.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.