Ddos 
A recent deep-dive investigation from Trend Micro Managed Detection and Response (MDR) has unmasked the evolving tactics of the KongTuke threat group. While the group continues to rely on its classic “ClickFix” fake CAPTCHA lures, researchers have identified a sophisticated new initial access technique dubbed “CrashFix” that specifically targets enterprise environments.
The campaign is characterized by its heavy reliance on legitimate system tools to blend in with normal network traffic. By abusing components such as PowerShell, finger.exe, and trusted services like Dropbox, the group can “execute commands remotely, maintain persistence, and remain active on compromised systems while leaving limited visible traces.”
KongTuke’s strategy is diversifying. While they still inject malicious JavaScript into legitimate WordPress sites to prompt users to run PowerShell commands, the new CrashFix method takes a different approach.
Under this new technique, users are “tricked into installing a malicious Chrome extension that displays a fake security warning, stating that the browser has ‘stopped abnormally.'” This prompt then guides unsuspecting victims to execute a malicious PowerShell command under the guise of “remediation instructions.”
Once a user is socially engineered into executing the initial command, the infection process moves through several stealthy stages:
- Living off the Land: The attackers copy the built-in Windows tool finger.exe to a temporary file (ct.exe) and execute it.
- Remote Command Execution (RCE): The renamed binary connects to an external IP and pipes the response directly into the command interpreter, establishing unauthorized remote access.
- In-Memory Execution: The finger.exe utility retrieves an obfuscated CharCode blob containing PowerShell code, which it decodes and executes entirely in memory to evade disk-based detection.
The ultimate goal of both the CrashFix and ClickFix chains is the deployment of modeloRAT, a Python-based backdoor. This RAT is particularly dangerous for corporate networks because it “specifically checks whether a system is part of a corporate domain and identifies installed security tools before continuing.”
If the malware confirms the system is domain-joined, it downloads a portable Python distribution from Dropbox to run its final modules. These modules perform extensive reconnaissance, collecting:
- Network configurations and active TCP connections.
- System identity and privilege context. Installed services and active processes.
- Domain membership and environment classification.
To ensure long-term access, KongTuke establishes persistence by creating a scheduled task named “Software Protection.” This task is designed to “blend in as legitimate software protection service” while repeatedly executing the malicious payload every five minutes.
Trend Micro warns that because this campaign “ultimately relies on human-initiated execution,” technical controls must be combined with continuous user education to be effective.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
