I block ads (despite the hypocrisy) and you probably do too if you’re tech-literate enough to read PCWorld on the regular. So maybe you’re familiar with the minor drama between Google Chrome and the incredibly popular uBlock Origin, which is also a solo developer’s passion project. That notoriety has led to a small irony: a scammer impersonating said developer with a fake ad blocker.
The “NexShield Smart Ad Blocker” was, at one point, available on the Chrome Web Store, allowing it to be downloaded and installed on Chromium-based browsers like Chrome and Edge. It has since been removed, and its promotional page is down along with associated advertisements that ran on search engines, including Google. But it was apparently promoted as “created by Raymond Hill.” Hill is somewhat notable as the solo developer behind uBlock Origin, who refused to comply with Google’s Manifest V3 extension changes, saying that it would hamstring the functionality of ad-blocking systems.
The original uBlock Origin is still available on Firefox and other non-Chromium browsers, while those of us still using the most popular standard will have to make do with the less-effective uBlock Origin Lite. NexShield apparently cloned most of the code in the Lite version and falsely attributed the development to Hill.
NexShield was discovered as malware by security vendor Huntress (via BleepingComputer), who says the extension used an interesting vector of attack. Hidden inside the background.js file is a system that sends user tracking info back to the creators. To avoid being immediately spotted, the extension doesn’t actually start working for an hour.
Once it’s active, the extension overloads the browser by executing a loop of one billion (with a “b”) actions, over and over. This rapidly exhausts system resources, causing tabs and eventually the whole browser to crash. Once the user restarts the browser, they get messages that there are issues that need to be fixed (hence the “ClickFix” and “CrashFix” monikers assigned by some security researchers). When that happens, a code is automatically copied, then the user is instructed to paste the malicious command into the Windows Run tool: “Open Win + R, Press Ctrl + V, Press Enter.”
That bit of trickery installs ModeloRAT, a nasty payload that includes a remote access trojan with the ability to install additional tools, spy on the user, modify the Windows registry, and all manner of other unsavory acts. According to Huntress, this system is the work of threat actor “KongTuke,” which is specifically targeting high-value corporate networks.
Author: Michael Crider
Source: PCWorld
Reviewed By: Editorial Team
