Full Report
Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix-like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. This new escalation of ClickFix has
Analysis Summary
Here is the summary based on the provided context, focusing on malware, tools, and techniques from the KongTuke campaign:
# Tool/Technique: ModeloRAT
## Overview
ModeloRAT is a previously undocumented Remote Access Trojan (RAT) delivered as the final payload in the "KongTuke" campaign. Its delivery mechanism relies on a malicious Google Chrome extension that crashes the browser using ClickFix-like lures to trick the user into executing arbitrary commands.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (implied by use of Windows Run dialog and typical RAT targets)
- Capabilities: Remote command execution, victim tracking, persistence/re-infection mechanism.
- First Seen: Undetermined (Context describes an *ongoing* campaign).
## MITRE ATT&CK Mapping
Since the context focuses on the delivery and initial execution steps leading to the RAT, the mappings below primarily reflect the extension's behavior, which facilitates the RAT's deployment:
- **TA0001 - Initial Access**
- T1588.002 - Obtain Capabilities: Exploitation for Client Execution (via malicious extension)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (User tricked into running a command via Run dialog)
- **TA0003 - Persistence**
- T1553.002 - Subvert Trust (via malicious Chrome Web Store extension)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol (Implied by C2 communication)
## Functionality
### Core Capabilities
- **Initial Infection Vector:** Delivered via a malicious Google Chrome extension named "NexShield – Advanced Web Guardian" (ID: `cpcdkmjddocikjdkbbeiaafnpdbdafmi`), masquerading as an ad blocker.
- **Browser Crash Lure:** Utilizes a DoS technique (infinite loop leveraging `runtime.connect` or similar port connections) to induce excessive memory consumption, causing the browser to crash and display a fake remediation prompt.
- **Arbitrary Command Execution:** Triggers the victim to open the Windows Run dialog and paste a pre-copied command due to the bogus security alert.
### Advanced Features
- **Victim Tracking:** Transmits a unique ID to the C2 server (`nexsnield[.]com`) upon installation to track configured victims.
- **Delayed Execution & Re-infection:** Implements a 60-minute delay before initial malicious execution. If the user force-quits and restarts the browser, it checks local storage for a timestamp; if present (and C2 confirms), it re-triggers the DoS pop-up, enabling persistent annoyance or ensuring the payload is eventually delivered/re-executed.
- **Escalation of Previous Activity:** Described as a "new escalation of ClickFix."
## Indicators of Compromise
- File Hashes: (Not provided in text)
- File Names: "NexShield – Advanced Web Guardian" (Extension Name)
- Registry Keys: (Not provided in text, but local storage manipulation is noted)
- Network Indicators: `nexsnield[.]com` (C2 server)
- Behavioral Indicators: Pop-up appears only after browser startup delay checks a local storage timestamp; creation of excessive runtime port connections resulting in DoS.
## Associated Threat Actors
This activity is part of the **KongTuke** (or **TAG-124**, also tracked as 404 TDS, Chaya\_002, LandUpdate808) infrastructure. Associated groups leveraging this infrastructure include:
- Rhysida ransomware
- Interlock ransomware
- TA866 (Asylum Ambuscade)
- SocGholish
- D3F@ck Loader
## Detection Methods
- **Signature-based detection:** Unknown, but focusing on the extension ID or specific script logic would be effective.
- **Behavioral detection:** Monitoring for Chrome extensions exhibiting immediate resource exhaustion targeting browser ports, unexpected system prompts following a crash, or attempts to execute commands via the Run dialog box following benign user searches (like for ad blockers).
- **YARA rules:** (Not provided in text)
## Mitigation Strategies
- **Prevention measures:** Exercise extreme caution when installing browser extensions, even those sourced from official stores, especially those promising high security or blocking functionality if they are clones of legitimate software (like uBlock Origin Lite).
- **Hardening recommendations:** Implement enterprise controls to restrict the execution of commands via the Windows Run dialog initiated through unusual application pathways. Regularly audit installed browser extensions.
## Related Tools/Techniques
- **ClickFix:** The established campaign/malware style this attack is escalating from.
- **SocGholish/D3F@ck Loader:** Known actors associated with the broader TAG-124 infrastructure.