Cloud9 botnet uses malicious extensions to take control of browsers and Windows

Researchers from cybersecurity firm Zimperium have discovered a botnet consisting of web browsers infected with malware. The malware in question is known as Cloud9 and comes in the form of browser extensions. Once installed, these browser extensions take over infected browsers to steal valuable information and perform DDoS attacks. The malware contained in these extensions is also capable of exploiting various vulnerabilities to evade the browser and infect the Windows operating system.

Unlike other malicious browser extensions, extensions containing the Cloud9 malware have never been available on official browser extension stores, as far as Zimperium is aware. Rather, threat actors seem to distribute malware most often on websites that offer fake Adobe Flash Player updates. While Adobe officially discontinued Flash Player in December 2020 and most modern web browsers do not support Flash, some websites still offer Flash games and other web content. Some users may be directed to websites promoting Flash Player updates in the hope of accessing this content.

fake adobe flash extension installed on chrome news
Malicious extension disguised as Adobe Flash Player installed on Chrome (source: Zimperium)

Unfortunately, threat actors are only too willing to take advantage of these users by providing them with malware-laden browser extensions disguised as Adobe Flash Player. The Cloud9 malware contained in these extensions has a wide range of capabilities, including cookie stealing and keylogging. Beyond plundering login sessions and any information entered into text fields, Cloud9 can mine cryptocurrency in infected browsers and direct browsers to perform Distributed Denial of Service (DDoS) attacks, such as those recently directed against Overwatch 2 and Wynncraft servers.

As if malicious behavior inside infected browsers wasn’t enough, Cloud9 can also break out of the browser to infect the operating system (OS). The malware begins by identifying a machine’s operating system and browser, then addresses a command and control (C2) server to download additional malicious payloads for further attacks. If the infected browser is Firefox, Microsoft Edge or Internet Explorer and the underlying operating system is Windows, Cloud9 can take advantage of various exploits to evade the browser.

The vulnerabilities in question are relatively old, dating from 2014 to 2019, and have since been patched. Nevertheless, four out of five of them were in the Cybersecurity and Infrastructure Agency (CISA) catalog of known exploited vulnerabilities in 2022, which means that threat actors are still exploiting these vulnerabilities because some machines are still running older versions of affected web browsers. In order to avoid falling prey to Cloud9 malware, users and organizations should ensure to install the latest security updates and refrain from installing browser extensions pretending to be Adobe Flash Player.


Comments are closed.