- New ClickFix variant uses fake NexShield ad blocker to spread malware
- Attack crashes browsers, then tricks users into installing ModeloRAT via command prompt
- KongTuke targets enterprises; individuals may face future risks
ClickFix attacks are evolving and now create an actual problem to fix, rather than trying to trick the victim into believing there is one, experts have warned.
Usually, ClickFix would either be a pop-up on a page, or a fake .docx or .pdf document. The victims would be told they cannot view the contents of a web page, or open the documents, until they “fixed” an issue by copying and pasting a command into the Windows Run program.
Obviously, there never was a problem, and all they did was run a command that installed malware – until now.
Crashing the browser
The newest variant revolves around a fake ad blocking browser add-on for Chrome and Edge called NexShield. It was built by a threat actor called KongTuke, and is quite an elaborate scheme, with dedicated sites spoofing browser repositories, and the malware being present on official stores. It also claims to be built by Raymond Hill, the person behind uBlock Origin, a legitimate ad blocker with 14 million users.
To make sure the attack isn’t traced back to the add-on, it starts its malicious activity an hour after being installed. When the clock ticks, the malware creates a denial-of-service (DoS) condition that crashes the browser and forces the user to bring up the Task Manager and manually restart it.
On restart, the add-on displays a fake error message and, in typical ClickFix fashion, offers a solution.
That solution is to copy and paste a command in Windows Command Prompt which, in turn, downloads and installs ModeloRAT, a remote access trojan that grants full access to the compromised device.
Security researchers Huntress, who first spotted the attack, claim KongTuke primarily targets enterprise users, and is so far sparing individuals and other private users. That, however, does not mean that CrashFix won’t target more people in the future.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/RYP2wJu6BGAEqdebGitYKk-970-80.jpg
Source link
