top of page
Buscar

CrashFix: The Booby Trap Hidden Inside Chrome

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 3 horas
  • 3 Min. de lectura

What looks like a harmless upgrade can sometimes be a carefully wired trap. In the CrashFix campaign, threat actors turned a trusted distribution channel — the official Chrome Web Store — into a booby trap designed to weaponize user frustration. By deliberately crashing the browser and offering a fake “fix,” attackers lure victims into executing commands that ultimately deploy ModeloRAT, opening the door to persistent, covert access inside corporate environments.


Phase 1 – The Trap Is Set 


The operation begins with malicious advertising served to users searching for an ad blocker. Victims are redirected to an extension hosted on the official Chrome Web Store, lending immediate legitimacy to the attack.

The extension, “NexShield – Advanced Web Guardian,” is a near-identical clone of uBlock Origin Lite, marketed as an advanced privacy and security tool. Once installed, it silently registers the victim with an attacker-controlled server by transmitting a unique identifier and remains dormant for 60 minutes, ensuring it evades immediate suspicion.

At this stage, the trap is armed but not yet sprung.


Phase 2 – The Trap Springs 


After the delay, the extension intentionally launches a denial-of-service loop that exhausts browser resources, freezing and crashing Chrome. When the victim restarts the browser, a fake security warning appears, claiming the crash was caused by a detected threat.

The victim is instructed to “scan” the system by opening the Windows Run dialog and executing a pre-copied command — a classic ClickFix maneuver. This step abuses the legitimate Windows utility finger.exe to retrieve and execute a PowerShell payload from an external server.

Anti-analysis controls disable right-clicks and developer tools, forcing user interaction and preventing inspection. Each forced restart re-triggers the trap, creating a self-sustaining loop that exploits frustration and urgency.


Phase 3 – Intelligence Collection 


Once executed, the PowerShell payload performs environment reconnaissance before deciding how to proceed. It scans for more than 50 analysis and virtual machine indicators and immediately aborts if detected.

If the system passes these checks, the malware exfiltrates system metadata, including:

  • Installed antivirus products

  • Whether the machine is domain-joined or standalone

This intelligence is sent back to the attacker’s infrastructure, determining the final payload and the value of the compromised host.


Phase 4 – Payload Delivery 


On domain-joined systems, the campaign culminates in the deployment of ModeloRAT, a previously undocumented, fully featured Python-based RAT.

ModeloRAT establishes persistence via the Windows Registry and communicates with its command-and-control servers using RC4-encrypted traffic. It supports full remote administration, including execution of binaries, DLLs, Python scripts, and PowerShell commands.

Its adaptive beaconing logic alternates between slow, stealthy polling and rapid command execution modes, backing off automatically after failed communications to avoid detection. This final stage transforms the initial booby trap into a long-term corporate foothold, consistent with access-broker activity and downstream ransomware operations.

Standalone machines follow a different infection path, currently returning test responses, suggesting active development and staging.


Measures to Defuse the Trap 


Recommended Defensive Actions


  • Restrict browser extension installation to approved allow-lists

  • Monitor Chrome Web Store installs for cloned or impersonated extensions

  • Detect and alert on abnormal browser crashes followed by command execution

  • Block or closely monitor abuse of finger.exe, PowerShell, and LOLBins

  • Enforce least privilege and prevent unauthorized registry persistence

  • Deploy behavioral detection capable of spotting delayed execution and DoS-style resource exhaustion

  • Educate users: no legitimate fix ever requires pasting commands into Run


CrashFix demonstrates a dangerous evolution in social engineering: attackers no longer rely solely on deception — they manufacture failure. By deliberately crashing the browser and positioning themselves as the solution, they turn frustration into a weapon.

The abuse of trusted platforms, legitimate binaries, and familiar workflows allows this booby trap to bypass traditional security controls and embed itself deep inside enterprise environments. In this campaign, the real payload isn’t just ModeloRAT — it’s the erosion of trust in the tools users rely on every day.

In modern attacks, the trap isn’t hidden in the shadows. It’s installed with a single click.



The Hacker News


 
 
 

Comentarios

bottom of page