The Cloud9 botnet is designed to work as a remote access trojan for Chromium web browsers, like Microsoft Edge and Google Chrome, enabling the threat operator to execute commands remotely.
The malicious extension is not available on the well-established Chrome web store. Instead, it is being circulated through other channels, including nefarious websites that push fake updates for programs like Adobe Flash Player.
According to threat analysts based at Zimperium, this technique appears to be yielding results for the attacker behind the campaign as they have identified instances of systems infected by Cloud9 infections all around the world.
Infecting online browsers
Cloud9 is a type of browser extension that maliciously backdoors Chromium browsers to conduct an extensive list of harmful capabilities and functions.
Researchers at Zimperium noted the loading of exploits for several known vulnerabilities on browser that included Firefox, Internet Explorer and Microsoft Edge.
These known vulnerabilities are employed to install and execute Windows-type malware automatically on the host, allowing the attackers to carry out even more substantial system compromise tasks.
However, regardless of the Windows malware element, the Cloud9 extension can illegally obtain cookies from a compromised browser. This enables attackers to hijack legitimate user sessions and then take over online accounts.
Furthermore, the malware has a keylogger function that can spy on and record key presses to aid password theft.
A dedicated clipper module is included in the extension, which constantly monitors the system clipboard for any copied passwords or personal credit card data. The Cloud9 browser botnet can also inject ads surreptitiously by silently loading up webpages to create ad impressions and make revenues.
The malware can also enlist the host’s computing power to perform layer seven DDoS attacks through HTTP POST requests made to the domain targeted. Threat analysts at Zimperium commented on this activity and the aim of the developer behind the browser botnet:
“Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests. The developer is likely using this botnet to provide a service to perform DDOS.”
Threat operators behind the Cloud9 Chrome browser botnet
In terms of attribution, the Cloud9 browser botnet is believed to be linked to the Keksec malware group. This has been determined because the command-and-control domains utilised in the recent campaign have been observed in past attacks launched by Keksec.
A notorious threat group, Keksec is behind the development and running of multiple botnet projects. These include, but are not limited to EnemyBot, Gafgyt, Tsunamy, DarkHTTP, Necro, and DarkIRC.
The targets of Cloud9 are widespread, and evidence suggests that the threat group is launching attacks against multiple browsers.