Cyber: Fake Ad Blocker Extension Crashes The Browser For Clickfix Attacks

A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser in preparation for ClickFix attacks.

The attacks were spotted earlier this month and delivered a new Python-based remote access tool called ModeloRAT that is deployed in corporate environments.

Researchers at managed security company Huntress say that NexShield creates a denial-of-service (DoS) condition in the browser by creating 'chrome.runtime' port connections in an infinite loop and exhausting its memory resources.

This results in frozen tabs, elevated CPU usage in the Chrome process, increased RAM usage, and general browser unresponsiveness. Eventually, Chrome/Edge hangs or crashes, forcing a kill via the Windows Task Manager.

Because of this, Huntress refers to these attacks as a variant of ClickFix that they named 'CrashFix'.

When the browser is restarted, the extension displays a deceptive pop-up that shows a fake warning and suggests scanning the system locate the problem.

Doing so opens a new window with a fake warning about security issues detected that threaten the user's data, with instructions on how to fix the problem, which involve executing malicious commands in the Windows command prompt.

In typical ClickFix fashion, the malicious extension copies a command to the clipboard and instructs the user to just hit 'Ctrl+V' and then run it in Command Prompt.

The 'fixing' command is a chain that triggers an obfuscated PowerShell script via a remote connection, which downloads and executes a malicious script.

In an attempt to dissociate the extension from the malicious activity and evade detection, the payload has a 60-minute execution delay after installing NexShield.

Source: BleepingComputer