"Cybersecurity researchers have disclosed details of an ongoing campaign dubbed KongTuke that used a malicious Google Chrome extension masquerading as an ad blocker to deliberately crash the web browser and trick victims into running arbitrary commands using ClickFix-like lures to deliver a previously undocumented remote access trojan (RAT) dubbed ModeloRAT. This new escalation of ClickFix has been codenamed CrashFix by Huntress."
"KongTuke, also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124, is the name given to a traffic distribution system (TDS) known for profiling victim hosts before redirecting them to a payload delivery site that infects their systems. Access to these compromised hosts is then handed off to other threat actors, including ransomware groups, for follow-on malware delivery. Some of the cybercriminal groups that have leveraged TAG-124 infrastructure include Rhysida ransomware, Interlock ransomware, and TA866 (aka Asylum Ambuscade),"
KongTuke is a traffic distribution system (also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124) that profiles victim hosts before redirecting them to payload delivery sites. A malicious Chrome extension named NexShield - Advanced Web Guardian was uploaded to the Official Chrome Web Store, downloaded at least 5,000 times, and masqueraded as an ad blocker and privacy shield. The extension is a near-identical clone of uBlock Origin Lite and was engineered to display a fake security warning. Compromised hosts were handed off to other threat actors, including ransomware groups such as Rhysida, Interlock, and TA866.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]