ClickFix Removes Your Background but Leaves the Malware

What Happened

Attackers are using fake background removal websites to trick people into infecting their own computers. When a user clicks a fake 'I'm not a robot' verification, they are instructed to copy and paste a hidden command that secretly downloads malicious software. This software installs a remote access tool and a password stealer that targets web browsers, cryptocurrency wallets, and chat apps like Discord and Telegram. This matters because it allows attackers to steal sensitive personal and financial information while gaining full control over the victim's computer. To stay safe, users should never copy and paste commands into the Run dialog or terminal from untrusted websites, and organizations should block unused legacy tools like the finger network protocol.

Key Takeaways

• The ClickFix campaign uses fake 'I'm not a robot' CAPTCHAs on background removal sites to trick users into copying and executing a malicious command via the Windows Run dialog.
• The initial execution leverages the legacy Windows 'finger.exe' utility to download CastleLoader, an advanced Python-based loader.
• CastleLoader employs sophisticated evasion techniques, including bypassing VirtualAlloc hooks via direct NtAllocateVirtualMemory calls and abusing the ReplaceTextW dialog API to execute shellcode.
• The loader drops NetSupport RAT for persistent remote access and a custom .NET stealer (CastleStealer) designed to extract credentials, crypto wallets, and session tokens.
• CastleStealer utilizes the Windows Restart Manager API to unlock files (like browser databases) without killing processes, and performs process hollowing into PowerShell.

Affected Systems

• Windows OS
• Chromium-family browsers
• Mozilla Firefox
• Discord
• Telegram
• Cryptocurrency wallets (MetaMask, Phantom, Trust Wallet, Ronin)

Attack Chain

The attack begins with a user visiting a fake background removal site and being tricked into copying and executing a finger.exe command via the Windows Run dialog. This command downloads a batch script that fetches a legitimate Python environment and a malicious script, which unpacks a ctypes shellcode loader. The shellcode uses API hashing and the ReplaceTextW dialog hook to evade detection while decrypting and executing a reflective PE loader (CastleLoader). CastleLoader communicates with its C2 to download and execute tasks, ultimately dropping NetSupport RAT for persistence and a custom .NET stealer (CastleStealer) that extracts credentials, crypto wallets, and session tokens using the Restart Manager API and process hollowing.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Huntress

The article indicates that a YARA rule for detecting CastleStealer is available, though the specific rule body is not provided in the text.

Detection Engineering Assessment

EDR Visibility: Medium — The malware actively evades standard EDR hooks by bypassing VirtualAlloc (calling NtAllocateVirtualMemory directly) and using ReplaceTextW to execute shellcode. However, process hollowing into PowerShell and loud network exfiltration provide detection opportunities. Network Visibility: High — C2 communication involves distinct patterns, such as the initial GET request with the campaign UUID in the URL, followed by POST requests with high-entropy bodies and large multi-megabyte BMP screenshot exfiltrations over HTTPS. Detection Difficulty: Moderate — While the loader uses advanced evasion techniques (direct syscalls, dialog hooks), the initial access vector (finger.exe) and the final actions (process hollowing, large network POSTs) are highly anomalous and detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• File Creation (Sysmon 11)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for instances of finger.exe making outbound network connections, especially to non-standard ports or external domains, as this is highly unusual in modern Windows environments.	Network Connections, Process Creation	Execution	Low
Search for cmd.exe executing ping 1.0.0.1 followed by a del command, which is a common batch self-deletion pattern.	Process Creation	Defense Evasion	Low
Detect sustained, large (5MB+) HTTP POST requests originating from unexpected processes, indicating potential uncompressed screenshot exfiltration.	Network Traffic	Exfiltration	Medium
Monitor for process hollowing where an unknown or untrusted process spawns powershell.exe and injects code into it.	Process Access, Process Creation	Privilege Escalation / Defense Evasion	Medium

Control Gaps

• Lack of App-Bound Encryption (ABE) enforcement in older Chromium browsers
• Unrestricted access to legacy Windows binaries like finger.exe
• Run dialog accessible to standard users

Key Behavioral Indicators

• finger.exe execution with external domains
• ReplaceTextW API called by unusual processes
• Direct calls to NtAllocateVirtualMemory bypassing VirtualAlloc
• Use of Restart Manager API (RmStartSession) by non-installer processes

False Positive Assessment

• Low. The specific combination of finger.exe usage, fake CAPTCHAs, and the identified C2 infrastructure is highly indicative of malicious activity. Legitimate use of finger.exe on modern Windows is virtually non-existent.

Recommendations

Immediate Mitigation

• Block outbound TCP port 79 (finger) at the network perimeter.
• Block known C2 domains and IPs associated with CastleLoader and CastleStealer.

Infrastructure Hardening

• Disable the Windows Run dialog via Group Policy (NoRun=1) to prevent users from easily executing pasted commands.
• Implement AppLocker or Windows Defender Application Control (WDAC) to restrict execution of script interpreters and legacy binaries.

User Protection

• Ensure all Chromium-family browsers are updated to version 127 or later to benefit from App-Bound Encryption (ABE).
• Deploy EDR solutions configured to monitor for process hollowing and suspicious API usage (e.g., Restart Manager).

Security Awareness

• Train users to recognize social engineering tactics that ask them to copy and paste commands into the Run dialog or terminal (ClickFix).

MITRE ATT&CK Mapping

• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1059.006 - Command and Scripting Interpreter: Python
• T1105 - Ingress Tool Transfer
• T1055.012 - Process Injection: Process Hollowing
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1027.002 - Obfuscated Files or Information: Software Packing
• T1129 - Shared Modules
• T1005 - Data from Local System

Additional IOCs

• Ips:
  • 38[.]146[.]28[[.]]30 - CastleStealer C2
• Domains:
  • trindastal[[.]]com - CastleLoader C2 infrastructure
  • obelnamevalf[[.]]org - NetSupport RAT payload delivery domain
  • brionter[[.]]com - CastleStealer payload delivery domain
  • cheeshomireciple[[.]]com - finger.exe C2 domain
  • ai-scan[[.]]digital - BackgroundFix malicious site
  • bg-transparency[[.]]online - BackgroundFix malicious site
  • bg-go[[.]]online - BackgroundFix malicious site
  • background-off[[.]]com - BackgroundFix malicious site
  • bg-ready[[.]]online - BackgroundFix malicious site
  • bg-removerok[[.]]online - BackgroundFix malicious site
  • background-ready[[.]]online - BackgroundFix malicious site
  • backgroundformat[[.]]online - BackgroundFix malicious site
  • poronto[[.]]com - NetSupport RAT C2
  • giovettiadv[[.]]com - NetSupport RAT C2
  • mail[.]bg-go[.]online - BackgroundFix malicious site identified in network traffic
• Urls:
  • hxxps://trindastal[[.]]com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/loc8 - Stage-2 Python downloader URL
  • hxxps://trindastal[[.]]com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/v8 - Stage-2 RC4-encrypted shellcode URL
  • hxxps://brionter[[.]]com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/net40[.]bin - CastleStealer payload URL
• File Hashes:
  • bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 (SHA256) - CastleLoader Core (final v8 payload, embedded PE)
  • ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9 (SHA256) - .NET stealer (net40.bin, decrypted)
• File Paths:
  • %ProgramData%\CeoliauD\Dabkina - NetSupport RAT installation path
  • C:\ProgramData\<instance_id> - CastleLoader install marker filename to prevent restarts
  • C:\Windows\System32\WindowsPowerShell\v1.0 - Target path for process hollowing (64-bit)
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0 - Target path for process hollowing (32-bit)
• Command Lines:
  • Purpose: Initial payload execution via ClickFix clipboard paste | Tools: cmd.exe, finger.exe | Stage: Execution | for /f "skip=8 delims=" %h in ('finger
  • Purpose: Self-deletion of the stealer executable | Tools: cmd.exe, ping.exe | Stage: Defense Evasion | cmd.exe /C ping 1.0.0.1 & del
• Other:
  • b47e1791-82ba-544f-9aab-ebbdd36d8c89 - CastleLoader campaign UUID
  • D63TnQ3WhSnjI0yVKaILRu8U1WttdnE - CastleLoader user-agent and Auth token
  • f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb - ChaCha20 key used for C2 communication encryption
  • bbbbf632514c0caae655b2c4 - ChaCha20 nonce used for C2 communication encryption
  • YvAPcF0OnjSYuDW7QosQ - Instance ID used for Mutex and install marker