Malicious extension allows attackers to control Google Chrome remotely


A new Chrome browser botnet named “Cloud9” has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim’s browser in DDoS attacks.

The Cloud9 Browser Botnet is actually a Remote Access Trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat author to execute commands remotely.

The malicious Chrome extension is not available on the official Chrome web store, but is instead distributed through alternative channels, such as websites that distribute fake Adobe Flash Player updates.

Malicious browser extension on Chrome
The malicious browser extension on Chrome (Zimperium)

This method appears to be working well, as Zimperium researchers reported today that they have seen Cloud9 infections on systems around the world.

Infect your browser

Cloud9 is a malicious browser extension that hijacks Chromium browsers to perform a long list of malicious functions and capabilities.

The extension consists of three JavaScript files to collect system information, mine cryptocurrency using host resources, perform DDoS attacks, and inject scripts that execute browser exploits.

Zimperium has noticed exploits loading for CVE-2019-11708 and CVE-2019-9810 in Firefox, CVE-2014-6332 and CVE-2016-0189 for Internet Explorer, and CVE-2016-7200 for Edge.

These vulnerabilities are used to automatically install and execute Windows malware on the host, allowing attackers to further compromise the system.

However, even without the malicious Windows component, the Cloud9 extension can steal cookies from the compromised browser, which hackers can use to hijack valid user sessions and take control of accounts.

The browser cookie thief
The browser cookie thief (Zimperium)

Additionally, the malware features a keylogger that can spy on key presses to steal passwords and other sensitive information.

A “clipper” module is also present in the extension, constantly monitoring the system clipboard for copied passwords or credit cards.

Cloud9 Clipper component
Cloud9 Clipper component (Zimperium)

Cloud9 may also inject advertisements by silently loading web pages to generate ad impressions and, therefore, revenue for its operators.

Finally, the malware can draw on the host’s firepower to perform Layer 7 DDoS attacks via HTTP POST requests to the target domain.

“Layer 7 attacks are usually very difficult to detect because the TCP connection looks a lot like legitimate requests,” Zimperium comments.

“The developer is probably using this botnet to provide a service to perform DDOS.”

Operators and targets

The hackers behind Cloud9 are believed to have ties to the Keksec malware group, as the C2 domains used in the recent campaign have been seen in past Keksec attacks.

Keksec is responsible for developing and running several botnet projects, including EnemyBot, Tsunamy, Gafgyt, DarkHTTP, DarkIRC, and Necro.

Cloud9 victims are spread across the globe and screenshots posted by the threat actor on forums indicate that they target various browsers.

Screenshot of the Cloud9 panel
Screenshot of the Cloud9 panel (Zimperium)

Additionally, public promotion of Cloud9 on cybercrime forums leads Zimperium to believe that Keksec is likely selling/renting it to other operators.

Update 11/9 – A Google spokesperson provided the following comment to BleepingComputer:

We always recommend users update to the latest version of Google Chrome to ensure they have the latest security protections.

Users can also stay better protected against malicious executables and websites by enabling Enhanced Protection in Chrome’s privacy and security settings.

Enhanced Protection automatically alerts you to potentially dangerous sites and downloads and inspects the security of your downloads and alerts you when a file may be dangerous.

#Malicious #extension #attackers #control #Google #Chrome #remotely

Leave a Comment

Your email address will not be published. Required fields are marked *