- New ClickFix variant uses fake NexShield ad blocker to spread malware
- Attack crashes browsers and then tricks users into installing ModeloRAT via command prompt
- KongTuke targets businesses; individuals may face future risks
ClickFix attacks are evolving and now creating a real problem to solve rather than trying to trick the victim into thinking there is one, experts have warned.
Usually, ClickFix will either be a pop-up on a page or a fake .docx or .pdf document. Victims would be told that they cannot view the contents of a web page or open the documents until they have “fixed” a problem by copying and pasting a command into the Windows Run program.
Obviously, there was never a problem and all they did was run a command that installed the malware – until now.
Crash of the browser
The latest variant revolves around a fake ad-blocking browser extension for Chrome and Edge called NexShield. It was built by a threat actor called KongTuke, and it’s a pretty complicated scheme, with dedicated sites spoofing browser repositories and malware present in official stores. It also claims to be built by Raymond Hill, the person behind uBlock Origin, a legitimate ad blocker with 14 million users.
To ensure that the attack is not traced back to the add-on, it starts its malicious activity one hour after it is installed. As the clock ticks, the malware creates a denial-of-service (DoS) condition that crashes the browser and forces the user to download Task Manager and manually restart it.
Upon restart, the add-on displays a bogus error message and, in typical ClickFix fashion, offers a solution.
This solution is to copy and paste a command into the Windows Command Prompt, which in turn downloads and installs ModeloRAT, a remote access trojan that provides full access to the compromised device.
Security researchers Huntress, who first discovered the attack, claim that KongTuke primarily targets business users and so far spares individuals and other private users. However, that doesn’t mean CrashFix won’t target more people in the future.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
