This ‘Ad Blocker’ Actually Initiates ClickFix Attacks
A malicious ad-blocking extension on Chrome and Edge uses the ClickFix attack to infect devices with a remote access payload capable of spying and taking control of a system.
NexShield presented itself as a privacy-focused ad blocker from the developer of the well-established and highly trusted uBlock Origin. However, as security firm Huntress discovered, the extension launches a variation of the ClickFix attack that has been dubbed “CrashFix” – a reference to the browser crash that precedes the fake security warning and malicious command prompt.
How NexShield’s “CrashFix” Attacks Your Device
As BleepingComputer describes, the NexShield extension creates a denial of service (DoS) loop that exhausts your device’s memory, ultimately freezing Chrome or Edge and causing it to crash. When the browser restarts, the extension displays a pop-up with a “Run Scan” button to identify “potential security threats that could compromise your browsing data”, leading users to believe that the crash is the result of a security issue.
If you continue, you will see another fake window with instructions to run commands in Windows Command Prompt. This is the ClickFix attack: a form of social engineering that relies on fake error messages, CAPTCHAs, and command prompts to trick users into deploying malware on their own devices.
In this case, the extension copies a command to the clipboard and if users type the keys in the fake pop-up, downloads and executes a malicious script. After a 60-minute delay to avoid detection, NexShield delivers the payload that can execute commands, fingerprint systems, and elevate privileges.
Note that as of this writing, NexShield has been removed from the Chrome Web Store.
How to protect your system from malware
If you have NexShield installed, you need to uninstall it and perform a full system cleanup to erase its payloads from your device. (We offer step-by-step guides to removing malware from your Mac and PC.)
What do you think of it so far?
As a general protection against similar attacks, only install browser extensions from trusted sources. This doesn’t guarantee that you’ll never encounter a malicious add-on in the Chrome Web Store or other browsers, as hackers sometimes manage to sneak through the approval process and even get their extensions labeled as trusted or verified. Some extensions are only later injected with malicious code, essentially “waking up” their ability to attack.
Before installing a new extension, carefully check the creation date, reviews and ratings, and even the name, as malicious add-ons often impersonate trusted extensions (or, as in the case of NexShield, rely on legitimate brands like uBlock Origin). Watch for suspicious permissions: If the extension requests access to data or actions that seem excessive or unrelated to its primary function, it may be malware.
Finally, never run codes or commands on your machine copied from websites or communications you do not understand, and always verify instructions with an independent and reliable source. For this specific campaign, Huntress has additional indicators of compromise that you can look for on your system.
