New Clickfix variant CrashFix deploying Python Remote Access Trojan

Summary

The CrashFix offshoot of the ClickFix campaign relies on a malicious Chrome extension to intentionally destabilize browsers, then pushes users into running “fix” commands that install a Python-based remote access trojan. The chain abuses the Windows finger utility and uses obfuscated PowerShell to pull down additional Python stages. Persistence is set via a Run registry value and a scheduled task named SoftwareProtection. Targeting appears focused on domain-joined Windows endpoints to maximize operational impact.

Investigation

Microsoft Defender researchers traced the activity to a counterfeit uBlock Origin Lite extension distributed through the Chrome Web Store. After installation, the extension drops a renamed finger.exe (as ct.exe), which reaches out to attacker-controlled IP infrastructure to retrieve a PowerShell script. That script then downloads a WinPython bundle that contains ModeloRAT. The RAT beacons over HTTP and establishes persistence through registry and scheduled-task creation. Telemetry also showed anti-analysis behavior and enumeration activity consistent with operating inside corporate domains.

Mitigation

Turn on cloud-delivered protection and run EDR in block mode, tighten outbound connectivity, and disable or constrain the legacy finger utility where possible. Enforce egress filtering and MFA, and use ASR rules to prevent execution of untrusted binaries and script-based staging. Monitor for suspicious Run key changes and scheduled tasks that launch python executables or reference unusual Python paths.

Response

Alert on creation of the malicious Run registry entry and the SoftwareProtection scheduled task, and correlate with outbound connections to known malicious IPs/domains. Hunt for the rogue Chrome extension filename and for processes spawning finger.exe/ct.exe or pythonw.exe with abnormal arguments. Isolate impacted hosts, remove the extension and dropped artifacts, and rotate any credentials that may have been exposed.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  The red team deploys a malicious Chrome extension named “SecurePDF‑Viewer” that appears to provide PDF rendering capabilities (masquerading as a legitimate extension – T1036.007/008). Upon installation, the extension’s background script initiates a persistent HTTPS GET request to https://nexsnield.com/api/heartbeat to retrieve encrypted commands. The request is issued via the browser’s built‑in networking stack, which on Windows surfaces as a System process network connection (captured by Sysmon). The C2 server resolves to the hard‑coded IP 69.67.173.30. This exact combination of dst_ip and domain satisfies the Sigma rule, causing an alert.

• Regression Test Script:

  # Simulate malicious browser‑extension traffic (PowerShell mimics the extension's HTTP call)
  $url = "https://nexsnield.com/api/heartbeat"
  try {
      # Suppress TLS errors for demonstration (not recommended in production)
      [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
      Invoke-WebRequest -Uri $url -UseBasicParsing -Headers @{ "User-Agent" = "Chrome/118.0.0.0" } -TimeoutSec 5
      Write-Host "Simulated malicious C2 beacon sent."
  } catch {
      Write-Error "Failed to reach C2 endpoint: $_"
  }

• Cleanup Commands:

  # Remove any temporary files or cached DNS entries (optional)
  Clear-DnsClientCache
  # No persistent changes were made; only a network request was issued.
  Write-Host "Cleanup complete."