Skip to content

Cloud9 browser botnet found hijacking Chromium-based browsers

  • by
  • 4 min read

Security researchers at Zimperium have discovered a new botnet named Cloud9 that uses malicious extensions to steal accounts, log keystrokes, enlist the victim browser in DDoS attacks and inject ads as well as malicious JavaScript in Chromium-based browsers around the world. 

The malicious extension that delivers the main payload isn’t available on the official Chrome extension store. It’s currently being distributed through websites pushing fake Adobe Flash Player updates among other channels. The botnet functions as a Remote Access Trojan (RAT) for Chromium-based browsers allowing the hacker to control the browser remotely. 

The malicious extension as installed in Chrome. | Source: Zimperium

Cloud9 further exploits CVE-2019-11708 and CVE-2019-9810 vulnerabilities in Firefox, CVE-2014-6332 and CVE-2016-0189 for Internet Explorer, and CVE-2016-7200 for Microsoft Edge to automatically install and execute the malware on Windows hosts allowing the threat actor to gain additional access. 

That said, Cloud9 is a rather effective tool on its own as well. The extension uses three JavaScript files that divide multiple operations between them. These tasks include collecting system information, performing layer 7 DDOS attacks via HTTP POST requests, mining crypto using the host PC and injecting scripts to run browser exploits as well as exploit the aforementioned vulnerabilities. 

Other than that, the extension can steal cookies, which allows threat actors to hijack web sessions and take over the victim’s accounts. A keylogger and a clipboard reading module called ‘clipper’ are also included in the package to capture as much sensitive information as possible. 

A post on a hacker forum promoting the Cloud9 botnet. | Source: Zimperium

The researchers believe that the botnet is being used to provide a service to perform Layer 7 DDOS attacks on a target domain, especially considering the sophistication of these attacks. Layer 7 DDOS attacks can be quite tricky to detect as the TCP connections they use are very similar to legitimate web requests.

This is further confirmed by the fact that the botnet is being openly promoted on cybercrime forums. Zimperium researchers believe that the botnet is being sold either for free or for the low price of a few hundred dollars on a number of different hacker forums. The ease of use and free availability means that we can see multiple malware groups or individual threat actors deploying it in the near future. 

The botnet comes from the Keksec malware group. Originally formed in 2016, the group is already popular for its DDOS and mining-based malware and botnets including Necro, DarkHTTP, Gafgyt, Tsunamy and EnemyBot. The C2 (Command and Control) domains used by the RAT are similar to the ones used by the group previously. 

List of Cloud9 targets as shared on a hacker forum. | Source: Zimperium

At the time of writing, Cloud9 isn’t targeting any specific group or industry and the number of victims is still unknown. However, it’s clear that the botnet is targeting all browsers and operating systems to increase the attack surface. The victims aren’t limited to a specific country, region or web browser either. 

There are no countermeasures against the botnet at the moment either, however, a complete reinstall of the browser or if the infection has spread to the host OS, the entire operating system should be able to purge any traces of it from the victim machine. 

In the News: FTX on brink of collapse as Binance prepares bailout

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: