We willingly block advertisements, a seeming contradiction for those of us who frequent tech news. Many of us rely on tools like uBlock Origin, a remarkably effective ad blocker crafted by a single, dedicated developer. This very popularity, however, has spawned a dangerous deception – a fraudulent ad blocker impersonating its creator.
The imposter, “NexShield Smart Ad Blocker,” briefly infiltrated the Chrome Web Store, extending its reach to browsers like Chrome and Edge before being swiftly removed. Its promotional materials, including search engine ads, have also vanished, but not before falsely claiming to be the work of Raymond Hill, the individual behind the original uBlock Origin.
Hill gained prominence by resisting Google’s controversial Manifest V3 changes, arguing they would severely weaken ad-blocking capabilities. While the authentic uBlock Origin remains accessible on Firefox and other non-Chromium browsers, Chrome users are currently limited to a less robust “Lite” version. NexShield cleverly exploited this by cloning the Lite version’s code and falsely attributing it to Hill.
Security firm Huntress uncovered NexShield’s malicious nature, revealing a subtle yet insidious attack vector. The extension concealed a system within its code designed to transmit user tracking data back to its creators, delaying activation for a full hour to evade immediate detection.
Once active, NexShield doesn’t simply block ads; it aggressively overloads the browser with a relentless loop of one billion operations. This deliberate resource exhaustion causes tabs to freeze and ultimately crashes the entire browser. The user is then presented with error messages and prompted to “fix” the issues.
The “fix” is the core of the deception. Users are instructed to copy a provided code and paste it into the Windows Run tool, a seemingly harmless action that triggers a far more sinister outcome: the installation of ModeloRAT, a remote access trojan.
ModeloRAT grants attackers comprehensive control, enabling them to install further malware, monitor user activity, manipulate the Windows registry, and execute a wide range of malicious commands. Huntress attributes this operation to a threat actor known as “KongTuke,” specifically targeting valuable corporate networks.
This incident serves as a stark reminder of the risks lurking within browser extensions and the importance of verifying the authenticity of software before installation. The imitation wasn’t just a flawed ad blocker; it was a carefully constructed gateway for a sophisticated cyberattack.