November 9, 2022

After launching a phishing attack known as Cloud9 against Google Chrome users, threat actors have decided to bring cloud nine to us instead of taking us to cloud nine. The Cloud9 Chrome browser botnet steals online accounts, logs keystrokes, injects ads and malicious JS code, and engages in DDoS attacks via the victim’s browser.

Cloud9 is a computer network, or botnet, controlled by a group of hackers that allows hackers to remotely access any computer, including all its data, and use it for any purpose. Instead of installing a Trojan on victims’ computers, they used a malicious extension for Google Chrome and any other Chromium-based browser distributed through the Chrome Store. The extension appeared as a Flash plugin, allowing the browser to load this type of content.

The vulnerabilities CVE-2019-11708 and CVE-2019-9810 in Firefox, CVE-2014-6332 and CVE-2016-0189 in Internet Explorer and CVE-2016-7200 in Edge are the exploiters.

If the plugin is installed, it will join the botnet and wait for orders from hackers. In addition, hackers could steal online accounts, record all keystrokes and inject ads and malicious JavaScript code without arousing the suspicion of the user. They also use infected computers to launch denial of service (DDoS) attacks.

Even without the Windows malware component, the Cloud9 extension can steal cookies from the compromised browser and be used to hijack valid user sessions and take over accounts.

The malicious Chrome extension is not available on the official Chrome Web Store, but it is disseminated through other channels, such as websites that promote fake Adobe Flash Player updates.

The sources for this piece include an article in BleepingComputer.