Extension gives attackers remote access to Google Chrome

malicious chrome extension

A brand-new "Cloud9" Chrome browser botnet has been spotted operating in the wild, stealing online accounts, logging keystrokes, injecting advertising and malicious JS code, and utilising the victim's browser to launch DDoS attacks. Cloud9 has a lot of features and functions similar to a remote access trojan (RAT). Two separate versions of this virus were found, one that was the original and one that had been upgraded with more features and bug fixes, showing how criminal actors are always iterating. The second version is an improvement over the first, featuring new functionality and a few bug fixes, Since the "better" version includes the features of both versions.

With the help of the Cloud9 browser botnet, a threat actor can remotely execute commands on any Chromium web browser, including Google Chrome and Microsoft Edge. Instead of depending on legitimate browser extension stores, Cloud9 relied on threat actor forums, where users of the programme would conceal the malware before distributing it to victims. While there are other ways to spread malware, side-loading through phoney executables and malicious websites posing as Adobe Flash Player updates was the most prevalent one according to the investigation done by Zimperium.

Researchers at Zimperium announced that they have observed Cloud9 infections on systems all around the world, suggesting that this technique is effective in contaminating your browser. The malicious browser add-on Cloud9 gives Chromium browsers access to a long number of dangerous features and capabilities. Three JavaScript files make up the extension, which is used to mine bitcoin using the host's resources, launch DDoS attacks, and insert scripts that trigger browser exploits. For Firefox the vulnerabilities are CVE-2019-11708 and CVE-2019-9810, Internet Explorer, CVE-2014-6332 and CVE-2016-0189, and Edge, CVE-2016-7200, as Zimperium noticed during the loading of exploits.

These flaws allow for the automatic installation and execution of Windows malware on the host, giving the attackers the ability to carry out even more serious system breaches.

The Cloud9 extension, however, is still capable of stealing cookies from a compromised browser even without the Windows malware component, which threat actors can then employ to hijack legitimate user sessions and regain control of accounts.

The software also includes a keylogger that may spy on key presses to collect passwords and other private data.

The extension also includes a "clipper" module that continuously scans the system clipboard for copied passwords or credit card numbers. In order to increase ad impressions and, consequently, revenue for its operators, Cloud9 can also surreptitiously load webpages with advertisements. Finally, the virus can use the host's resources to launch layer 7 DDoS attacks against the target domain by sending HTTP POST requests to the domain. According to Zimperium, "Layer 7 assaults are typically very difficult to detect because the TCP connection looks quite similar to normal requests." "The botnet is probably being used by the developer to offer a DDOS service,"

Targets and operators

The C2 domains used in the most recent campaign were previously used in attacks by the malware group Keksec, leading some to speculate that the hackers behind Cloud9 have connections to this group. The development and administration of numerous botnet programmes, including EnemyBot, Tsunamy, Gafgyt, DarkHTTP, DarkIRC, and Necro, are handled by Keksec. The victims of Cloud9 are dispersed throughout the world, and screenshots released on forums by the threat actor show that they target different browsers. Additionally, Zimperium surmises that Keksec is probably leasing or renting Cloud9 to other operators based on the open promotion of the service on cybercrime forums.

A Google representative told the following: To ensure they have the most recent security safeguards, we always advise customers to update to the most recent version of Google Chrome. By turning on Enhanced Protection in Chrome's privacy and security settings, users can additionally protect themselves from harmful executable code and websites. In addition to checking the security of your downloads and alerting you when a file might be dangerous, Enhanced Protection automatically informs you about potentially risky websites and downloads.




Nov. 20, 2022

Hacking vedo