- New ClickFix variant uses fake NexShield ad blocker to spread malware
- Attack crashes browsers, then tricks users into installing ModeloRAT via command prompt
- KongTuke targets enterprises; individuals may face future risks
ClickFix attacks are evolving, creating real issues to resolve rather than merely deceiving victims. Experts warn that these attacks now involve actual browser crashes.
Previously, ClickFix would manifest as pop-ups or misleading documents, prompting users to 'fix' a non-existent problem by executing a command in the Windows Run program. Unfortunately, this would lead to malware installation.
Crashing the Browser
The latest variant involves a counterfeit ad-blocking browser add-on for Chrome and Edge named NexShield. Developed by a threat actor known as KongTuke, this scheme includes fake sites mimicking browser repositories, with malware even appearing in official stores. It falsely claims to be created by Raymond Hill, the developer of uBlock Origin, a legitimate ad blocker with millions of users.
To avoid detection, the malicious activity begins an hour after installation. The malware generates a denial-of-service (DoS) condition that crashes the browser, forcing users to restart it via Task Manager.
Upon restarting, the add-on presents a fake error message and, in typical ClickFix style, offers a 'solution.' This involves copying a command into Windows Command Prompt, which subsequently downloads and installs ModeloRAT, a remote access trojan that provides full access to the compromised device.
Security researchers at Huntress, who identified the attack, report that KongTuke primarily targets enterprise users, but individuals may also be at risk in the future.
Via BleepingComputer