Unmasking a new technique CrashFix found was used to fool the victim.

Unmasking a new technique CrashFix found was used to fool ModeloRAT malware installation victims.

ClickFix, or an unreal bug screen with instructions for the victim to do so to correct it, is actually a malware installation for the victim. It has been called a popular method over the past year. This method has developed so much that there are many sub-forms, such as in this news.

According to a report by the website, The Hacker News has mentioned the detection of a new type of ClickFix campaign that instead of fooling the website and causing the website to display a fake error message for the victim to follow the order. It is a trick for the victim to install an Extensions web browser, and then the extension will freeze the web browser (Crash) on purpose to trick the victim into following a command that will ultimately lead to a malware download. This method was named CrashFix by a research team from Huntress, a company of hackers experts who detected the gambit.

The research team has revealed that the system behind the CrashFix victim scam is the infrastructure of the Traffic or Traffic Distribution System (TDS) type that transforms the target of the victim's redirect website to a website where a payload of malware files is stored called KongTuke, known by many other names, 404 TDS, Chaya _ 002, LandUpdate808, and TAG-124. This system has been used by many hackers to spread a variety of malware, such as Rhysida Ransomware, Interlock. Ransomware, and TA866 (or Asylum Ambuscade), outside of the popularity of being used by different groups of hackers, are also reported to be involved in such famous malware as Socgholish and D3F@ck Loader.

In order to spread the fake add-on that is currently the case, hackers have created an ad blocker called "NexShield - Advanced Web Guardian," which boasts that it can block a lot of advertising. This add-on was once available for download via the official Google Chrome Web Store web browser add-on, which was downloaded by up to 5,000 victims before this fake add-on was deleted, which, according to the research team, is similar to the one. It complements a genuine Ad Blocker like uBlock Origin Lite version 2025.1116.1841, so much so that it is expected that the hackers behind it have made a copycat (Clone) to deceive the victim.

On the job side, after the victim installs the add-on, the add-on displays a Security Warning notification. The web browser is abnormally stopped, and the victim is instructed to scan for cyber threats that are detected by the Microsoft Edge web browser. If the victim scans, it will lead to another alert that will come with the command to activate Windows Run. Then paste the copy command on Run and press Enter (which is the same method as ClickFix). The web browser will also be put in a DoS (Denial-of-Service) extension until it ultimately freezes.

While the web browser is suspended, the input command leads to the download of the first PowerShell script from the control server (C2). After the first script is grounded, it leads to the download of the second PowerShell script. By malware or payload, the second will check for analysis tools and more than 50 Virtual Machines. If the payload is detected, it will stop immediately. In addition to that, it will be checked that the unit is active. Use Domain-Joined or Standalone. After the verification is complete, the payload sends two data back to the C2 server.

A list of all anti-virus software installed on the machine.

Two machine type indications

"ABCD111" for singular machines

"WORKGROUP" or "BCDA222" for domain-sharing machines

If the machine is detected as a co-domain machine, the TDS system will work to release a payload of ModeloRAT malware, a malware type that controls the victim's machine, or a RAT (Remote Access Trojan) that focuses on attacks on the Windows operating system, and an RC4 encryption system is used to communicate with the C2 server located on the IP Address number "170.168.103 [.] 208" or "158.247.252. [.] 178 "comes down on the machine and creates Persitence through the Registry modification and manipulates the use of the corresponding inaries, DLLs, Python scripts, and PowerShell commands.

The ModeloRAT malware, although its capabilities are not mentioned by the source, mentions some of its functionality. The malware has the ability to update itself through the "VERSION _ UPDATE" command or delete itself with the "TERMINATION _ SIGNAL" command received from the C2 server.

# hacking # Trending # lemon 8 diary # Lemon 8 Howtoo # freedomhack