ClickFix to CrashFix: KongTuke Used Fake Chrome Ad Blocker to Install ModeloRAT

Huntress discovers ‘CrashFix,’ a new attack by KongTuke hacker group using fake ad blockers to crash browsers and trick office workers into installing ModeloRAT malware.

Ad blockers are meant to keep us safe, but a recent discovery by threat-hunting firm Huntress shows just how easily those tools can be turned against us. Huntress’ threat analysts recently identified a sneaky new campaign by the KongTuke hacking group, involving using a trick named CrashFix to break into corporate computers by pretending to fix the very problems they created.

The Trap

It starts with a fake ad blocker called NexShield, which is a near-perfect clone of the popular “uBlock Origin Lite. To make it appear authentic, the hackers forged the code headers to falsely credit the real developer, Raymond Hill, included links to a non-existent “help” website, and even hosted it on the official Chrome Web Store under the developer’s email [email ...