Key Points:
Web browsers have the most lucrative and interesting data about users. Malware developers understand this and are building malicious extensions to exploit the data.
Recently, Cloud9 — a malicious browser extension that works on all Chromium-based browsers, has been raging on the web. The extension author has designed it to execute a myriad of malicious activities, including:
The browser extension takes the multi-tool approach, allowing it to act as a remote access Trojan (RAT).
Cloud9 botnet has been active since 2017 and has three JavaScript files. Research shows that the extension’s author updated it in 2020 to proliferate websites as a single JavaScript that can be added to any website using script tags.
Cyber experts link Cloud9 to Keksec Malware Gang — a well-resourced group — famous for creating botnet-for-hire. As the Cloud9 malware is quite trivial and free, many malware groups or individual hackers can use it for specific ii-intended purposes.
While Cloud9 offers a platform for malicious activities, the author didn’t design it for specific users. The malware targets all types of users and retrieves user information for both business and individual users. The malware is much a consumer threat as it is a personal threat to increase the attack surface.
Attackers take advantage of the platform and use the botnet to infiltrate computers and escalate malicious activity. The most threatening capability of the Cloud9 malware include:
All these capabilities make the malware a potential threat to users.
Most Cloud9 attacks are multifaceted and execute several malicious activities simultaneously. The worst part is that it can escape the browser and run malware on the victim’s device.
Here’s an outline of how Cloud9 attacks usually occur:
The Cloud9 malware can affect other browsers, such as Internet Explorer, Edge, or Brave. If successful, the attacker gains the user’s right as the current user to execute codes on the victim’s device.
If the user is logged on with administrative rights, a hacker can:
The attacker can also use the malware’s capabilities to send POST requests to any domain and execute a layer 7 DDoS attack.
Cybersecurity experts believe that a group of hackers called Keksec are running the latest malware distribution campaign. The threat actor uses side-loading through fake malicious and executable websites that initiate the Adobe Flash Players updates.
You can also get infected with the Cloud9 malware through malicious spam, fake email links and attachments, and Trojan-infected downloads.
The vast capabilities of Cloud9 mean that organizations should be on high alert. After all, a typical endpoint security solution cannot detect the attack of this vector, making browsers in your business susceptible and vulnerable.
The best way you can protect your company is by:
You’ll never find the Cloud9 extension on any official browser extension store. The malware distribution relies on threat actor communities sharing to deliver to victims.
The best way to protect your business against Cloud9 botnet is to create awareness of the dangers of unofficial extensions among your employees.
Businesses should be concerned about the Cloud9 malware because it can bypass a typical endpoint detection system. An attacker might camp in your company’s IT system, only for you to realize when it’s too late.
Your best protection is educating employees about the dangers of using web browser extensions and creating cybersecurity awareness. More importantly, ensure your security frameworks can detect and handle malware from unsuspected attack vectors.