A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser in preparation for ClickFix attacks.
The attacks were spotted earlier this month and delivered a new Python-based remote access tool called ModeloRAT that is deployed in corporate environments.
The NexShield extension, which has been removed from the Chrome Web Store, was promoted as a privacy-first, high-performance, lightweight ad blocker created by Raymond Hill, the original developer of the legitimate uBlock Origin ad blocker with more than 14 million users.
The NexShield website
Source: Huntress
Researchers at managed security company Huntress say that NexShield creates a denial-of-service (DoS) condition in the browser by creating 'chrome.runtime' port connections in an infinite loop and exhausting its memory resources.
This results in frozen tabs, elevated CPU usage in the Chrome process, increased RAM usage, and general browser unresponsiveness. Eventually, Chrome/Edge hangs or crashes, forcing a kill via the Windows Task Manager.
Because of this, Huntress refers to these attacks as a variant of ClickFix that they named 'CrashFix'.
When the browser is restarted, the extension displays a deceptive pop-up that shows a fake warning and suggests scanning the system locate the problem.
The deceptive pop-up served on browser restart
... continue reading