These fake Chrome extensions will crash your browser so that hackers can sneak in - here's how to stay safe

News
By published

Don't fall for the new ClickFix variant

HTTPS in a browser address bar
(Image credit: Shutterstock)
  • New ClickFix variant uses fake NexShield ad blocker to spread malware
  • Attack crashes browsers, then tricks users into installing ModeloRAT via command prompt
  • KongTuke targets enterprises; individuals may face future risks

ClickFix attacks are evolving and now create an actual problem to fix, rather than trying to trick the victim into believing there is one, experts have warned.

Usually, ClickFix would either be a pop-up on a page, or a fake .docx or .pdf document. The victims would be told they cannot view the contents of a web page, or open the documents, until they “fixed” an issue by copying and pasting a command into the Windows Run program.

Obviously, there never was a problem, and all they did was run a command that installed malware - until now.

Crashing the browser

The newest variant revolves around a fake ad blocking browser add-on for Chrome and Edge called NexShield. It was built by a threat actor called KongTuke, and is quite an elaborate scheme, with dedicated sites spoofing browser repositories, and the malware being present on official stores. It also claims to be built by Raymond Hill, the person behind uBlock Origin, a legitimate ad blocker with 14 million users.

To make sure the attack isn’t traced back to the add-on, it starts its malicious activity an hour after being installed. When the clock ticks, the malware creates a denial-of-service (DoS) condition that crashes the browser and forces the user to bring up the Task Manager and manually restart it.

On restart, the add-on displays a fake error message and, in typical ClickFix fashion, offers a solution.

That solution is to copy and paste a command in Windows Command Prompt which, in turn, downloads and installs ModeloRAT, a remote access trojan that grants full access to the compromised device.

Security researchers Huntress, who first spotted the attack, claim KongTuke primarily targets enterprise users, and is so far sparing individuals and other private users. That, however, does not mean that CrashFix won’t target more people in the future.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.