Security researchers at Zimperium have discovered a new botnet named Cloud9 that uses malicious extensions to steal accounts, log keystrokes, enlist the victim browser in DDoS attacks and inject ads as well as malicious JavaScript in Chromium-based browsers around the world.
The malicious extension that delivers the main payload isn’t available on the official Chrome extension store. It’s currently being distributed through websites pushing fake Adobe Flash Player updates among other channels. The botnet functions as a Remote Access Trojan (RAT) for Chromium-based browsers allowing the hacker to control the browser remotely.
Cloud9 further exploits CVE-2019-11708 and CVE-2019-9810 vulnerabilities in Firefox, CVE-2014-6332 and CVE-2016-0189 for Internet Explorer, and CVE-2016-7200 for Microsoft Edge to automatically install and execute the malware on Windows hosts allowing the threat actor to gain additional access.
That said, Cloud9 is a rather effective tool on its own as well. The extension uses three JavaScript files that divide multiple operations between them. These tasks include collecting system information, performing layer 7 DDOS attacks via HTTP POST requests, mining crypto using the host PC and injecting scripts to run browser exploits as well as exploit the aforementioned vulnerabilities.
Other than that, the extension can steal cookies, which allows threat actors to hijack web sessions and take over the victim’s accounts. A keylogger and a clipboard reading module called ‘clipper’ are also included in the package to capture as much sensitive information as possible.
The researchers believe that the botnet is being used to provide a service to perform Layer 7 DDOS attacks on a target domain, especially considering the sophistication of these attacks. Layer 7 DDOS attacks can be quite tricky to detect as the TCP connections they use are very similar to legitimate web requests.
This is further confirmed by the fact that the botnet is being openly promoted on cybercrime forums. Zimperium researchers believe that the botnet is being sold either for free or for the low price of a few hundred dollars on a number of different hacker forums. The ease of use and free availability means that we can see multiple malware groups or individual threat actors deploying it in the near future.
The botnet comes from the Keksec malware group. Originally formed in 2016, the group is already popular for its DDOS and mining-based malware and botnets including Necro, DarkHTTP, Gafgyt, Tsunamy and EnemyBot. The C2 (Command and Control) domains used by the RAT are similar to the ones used by the group previously.
At the time of writing, Cloud9 isn’t targeting any specific group or industry and the number of victims is still unknown. However, it’s clear that the botnet is targeting all browsers and operating systems to increase the attack surface. The victims aren’t limited to a specific country, region or web browser either.
There are no countermeasures against the botnet at the moment either, however, a complete reinstall of the browser or if the infection has spread to the host OS, the entire operating system should be able to purge any traces of it from the victim machine.
In the News: FTX on brink of collapse as Binance prepares bailout