ClickFix Removes Your Background but Leaves the Malware

SOC Prime Team

ClickFix Removes Your Background but Leaves the Malware

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A malicious website posing as a free background removal service delivers a multi-stage malware framework known as CastleLoader. Once executed, the loader installs NetSupport RAT along with a custom .NET stealer designed to extract browser credentials, cryptocurrency wallet data, and Telegram session information. The malware communicates with its command-and-control infrastructure through encrypted channels that rely on custom protocols and ChaCha20 encryption. The campaign also employs multiple evasion techniques, including process hollowing, APC injection, and abuse of ReplaceTextW, to reduce detection and maintain execution.

Investigation

Researchers traced the attack to an initial payload copied to the victim’s clipboard through a fake “I’m not a robot” prompt, followed by use of finger.exe to retrieve a command from a remote server. Deeper analysis uncovered a Python-based bring-your-own-interpreter chain that downloaded additional malware components, a custom shellcode loader protected with RC4, and a reflective PE loader that called NtAllocateVirtualMemory directly. Investigators found that CastleLoader fetched encrypted tasks from its command-and-control server, decrypted them in memory, and launched follow-on payloads through several different execution methods.

Mitigation

Defenders should block execution of unnecessary Windows utilities such as finger.exe and regsvr32.exe, enforce AppLocker or comparable application control policies, and restrict outbound traffic to untrusted domains and uncommon ports. Organizations should also consider limiting access to the Run dialog where operationally possible and monitor for suspicious use of ReplaceTextW and unusual COM object activity. Browser hardening can help reduce exposure to DPAPI-based credential theft, while keeping cryptocurrency wallet extensions updated may lower the risk of wallet compromise.

Response

Security teams should hunt for CastleLoader by detecting the characteristic clipboard command, monitoring traffic to the identified command-and-control domains, and looking for the malware’s custom user-agent strings. Investigators should also review any scheduled tasks created under %ProgramData% and search for the associated mutex value. If infection is confirmed, isolate the affected host, terminate any active NetSupport RAT processes, and remove malicious files dropped into %ProgramData% and %LocalAppData%.

"graph TB %% Class Definitions classDef technique fill:#ffcc99 classDef operator fill:#ff9900 %% Node Definitions tech_content_injection["Technique – T1659 Content Injection Description: Adversary injects malicious content into legitimate files or data streams to deliver payloads."] class tech_content_injection technique tech_user_exec_link["Technique – T1204.001 User Execution: Malicious Link Description: Victim is tricked into clicking a malicious hyperlink that launches malicious code."] class tech_user_exec_link technique tech_user_exec_copypaste["Technique – T1204.004 User Execution: Malicious Copy and Paste Description: Victim copies and pastes malicious code or commands into a trusted application."] class tech_user_exec_copypaste technique tech_obfuscation["Technique – T1027 Obfuscated Files or Information Description: Malware is hidden using obfuscation techniques to evade detection."] class tech_obfuscation technique tech_deobfuscate["Technique – T1140 Deobfuscate/Decode Files or Information Description: Malicious code is decoded or deobfuscated to reveal its true functionality."] class tech_deobfuscate technique tech_encrypted_channel["Technique – T1573 Encrypted Channel Description: Communication is encrypted to protect data in transit from analysis."] class tech_encrypted_channel technique tech_process_injection_apc["Technique – T1055.009 Process Injection (APC) Description: Code is injected into a target process using Asynchronous Procedure Calls."] class tech_process_injection_apc technique tech_process_hollowing["Technique – T1055.012 Process Injection (Process Hollowing) Description: A legitimate process is created and its memory is replaced with malicious code."] class tech_process_hollowing technique tech_reflective_loading["Technique – T1620 Reflective Code Loading Description: Malicious code is loaded directly into memory without touching disk."] class tech_reflective_loading technique tech_screen_capture["Technique – T1113 Screen Capture Description: Captures screenshots of the victimu2019s desktop for reconnaissance."] class tech_screen_capture technique tech_regsvr32["Technique – T1218.010 Regsvr32 Proxy Execution Description: Uses regsvr32 to execute malicious code via a proxy DLL."] class tech_regsvr32 technique tech_masquerading["Technique – T1036.011 Masquerading (conhost copy) Description: Malicious binary is renamed or copied to resemble conhost.exe to avoid suspicion."] class tech_masquerading technique tech_relocate_malware["Technique – T1070.010 Relocate Malware (random filenames) Description: Malware files are moved and renamed with random names to hinder discovery."] class tech_relocate_malware technique tech_credential_theft["Technique – T1552.004 Credential Theft (DPAPI/AES) Description: Extracts credentials protected by DPAPI or AES encryption."] class tech_credential_theft technique tech_keylogging["Technique – T1056.001 Keylogging Description: Captures keystrokes entered by the user to harvest sensitive information."] class tech_keylogging technique %% Connections tech_content_injection –>|leads_to| tech_user_exec_link tech_user_exec_link –>|leads_to| tech_user_exec_copypaste tech_user_exec_copypaste –>|leads_to| tech_obfuscation tech_obfuscation –>|leads_to| tech_deobfuscate tech_deobfuscate –>|leads_to| tech_encrypted_channel tech_encrypted_channel –>|leads_to| tech_process_injection_apc tech_process_injection_apc –>|leads_to| tech_process_hollowing tech_process_hollowing –>|leads_to| tech_reflective_loading tech_reflective_loading –>|leads_to| tech_screen_capture tech_screen_capture –>|leads_to| tech_regsvr32 tech_regsvr32 –>|leads_to| tech_masquerading tech_masquerading –>|leads_to| tech_relocate_malware tech_relocate_malware –>|leads_to| tech_credential_theft tech_credential_theft –>|leads_to| tech_keylogging "

Attack Flow

Attack Narrative & Commands:
An adversary who has already compromised a low‑privilege account wants to use a signed Windows binary (finger.exe) to hide the execution of a custom encryption payload. They invoke the binary with a crafted argument that includes the string “RC4” (or “AES‑CBC”) to indicate the chosen cipher. Because the binary is signed, Windows AppLocker or other whitelisting solutions are less likely to block it, and the command‑line keyword satisfies the Sigma rule’s encryption condition.

Regression Test Script:

# ------------------------------------------------------------
# Simulated malicious use of finger.exe with RC4 encryption
# ------------------------------------------------------------
# Ensure finger.exe is in the PATH or specify full path.
$fingerPath = "$env:SystemRootSystem32finger.exe"

if (-not (Test-Path $fingerPath)) {
    Write-Error "finger.exe not found at $fingerPath"
    exit 1
}

# Craft a command line that includes the keyword RC4
$maliciousCmd = "$fingerPath -p RC4 -target 10.0.0.5"

Write-Host "Executing malicious command: $maliciousCmd"
Invoke-Expression $maliciousCmd

# Optional: Sleep to allow SIEM ingestion
Start-Sleep -Seconds 5

Cleanup Commands:

# Terminate any lingering finger.exe processes
Get-Process -Name finger -ErrorAction SilentlyContinue | Stop-Process -Force

Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free