Cloud9 botnet leveraged by attackers to obtain remote access on targeted devices of victims...

Continue reading
Cloud9 is a new Chrome browser botnet that has been found in the wild leveraging malicious extensions to steal cookies, and user credentials, record keystrokes, inject adverts and malicious JS code and enroll the victim's browser in DDoS attacks.
Threat actors may remotely execute their commands by using the Cloud9 browser botnet, which is a remote access trojan (RAT) for the Chromium web browser. This includes popular browsers like Google Chrome and Microsoft Edge.
Instead of being distributed via the official Chrome web store, where it would be more evident to detect, the malicious Chrome extension is instead spread through other channels, including websites that falsely claim to update Adobe Flash Player.

*Extension for Google Chrome that adds malware.*
Our analysis confirmed that Cloud9's entire infection chain went through Chromium-based browsers across the globe.
Cloud9 is a malicious add-on that allows compromised versions of the Chromium web browser to obtain remote access to the server and execute various malicious activities.
The add-on has three JavaScript files and may be used to launch DDoS attacks, mine cryptocurrency using the host's resources, inject scripts that run browser exploits, and steal system information.
Our analysis shows that exploits were being loaded for Firefox CVE-2019-11708 and CVE-2019-9810, Internet Explorer CVE-2014-6332 and CVE-2016-0189, and Microsoft Edge CVE-2016-7200.
When exploited, these security flaws allow Windows malware to be installed and executed automatically on the host, giving attackers access to the machine and allowing them to further corrupt it.
Cloud9 extension may harvest cookies from the infected browser, allowing threat actors to hijack legitimate user sessions and access accounts, even without the Windows malware component.

*Browser cookies stealer*
Google spokesman has shared their insights, suggesting that customers should upgrade to the most recent version of Google Chrome to ensure they have the most recent security measures in place. In addition, Chrome's Enhanced Protection, included in the browser's settings for privacy and security, helps users remain safe from harmful software and websites.
You will be alerted to potentially harmful websites and downloads, and your downloads will be inspected for possible threats before they are ever saved to your computer.
The malware also features a keylogger that may monitor your keystrokes and steal your passwords and other personal data.
The extension includes a _"clipper"_ component that watches the system clipboard for copied sensitive information such as passwords and credit card numbers.

*clipper subsystem of Cloud9*
Cloud9 may also discreetly load web pages while injecting advertisements, resulting in ad impressions and, ultimately, money for the service's owners.
As a final step, the malware may use the host's resources to launch layer 7 DDoS attacks by sending HTTP POST requests to the target domain.
It was also noted that, _" the TCP connection in a Layer 7 attack appears remarkably similar to genuine requests,"_ making such attacks challenging to detect. However, it is quite probable that the operator is offering DDOS attacks through this botnet as a service.
Since the C2 domains used in the latest campaign have previously been spotted in attacks by the Keksec malware gang, the hackers behind Cloud9 are likely affiliated with Keksec.
EnemyBot, Tsunamy, Gafgyt, DarkHTTP, DarkIRC, and Necro are just a few of the botnet initiatives that Keksec has created and is in charge of.
Victims of Cloud9 may be found all over the globe, and the threat actor's own forum screenshots show that the browsers they focus on are not all the same. However, it is yet unclear how many people have been affected by this malware.
There is no mistaking that this malware family is attempting to broaden its reach by attacking across browsers and operating systems. Some of the victims of the threat actor's attacks were demonstrated in the below screenshots we obtained from hackers forum.


*Snapshot of the Cloud9 control panel*
It was further suspected that Keksec is renting or leasing Cloud9 to other operators because of its widespread marketing on cybercrime forums.


*Hacker forum where the malware was distributed*
`d8159d8b2f82ca62d73e15f8fc9f38831090afe99a75560effb1ad81dcb46228` `fc194cd7fe68424071feb3087cd5aa6616dfcd7cc06588d867505dd969f50db4` `4b7ba9632318c84115ec345e2c4d07283c6a81e0112bb38b9400f0fabeb8e3be` `062ebb3d6967744ecd9abba13fdae1edb2ae5248e228d1ad39800bc742815d02` `f22eb3fab95165f994bb12c9764583939db12176a298aeb065586b7d01301165` `Dc20a36d9e2e767bb994d29a50b75afc3ac757e430a7d6abb1fa8ef7fe44ebfa`

Chinese-speaking TA4922 expands into Europe, deploying new Atlas RAT malware in phishing campaigns targeting organizations across sectors.