Cloud9 Malware Infecting Businesses Across the Globe

Cloud9 Malware is a Paradise of Cyber Attack Methods — Infecting Businesses Across the Globe

Key Points:

• The Cloud9 browser extension for Chrome and Edge is a haven for cybercriminals and a potential catastrophe for business users.
• The malicious browser extension allows hackers to remotely take over users’ browser sessions and execute a full range of attacks.
• Attackers have built the extension to install malware, mine cryptocurrency, steal people’s cookies, or execute a full device takeover.
•  Businesses should be on high alert because it’s unclear how Cloud9 spread.
• The botnet has wide attack capabilities, and a typical endpoint security system can’t detect it.

Web browsers have the most lucrative and interesting data about users. Malware developers understand this and are building malicious extensions to exploit the data.

Recently, Cloud9 — a malicious browser extension that works on all Chromium-based browsers, has been raging on the web. The extension author has designed it to execute a myriad of malicious activities, including:

• Cryptocurrency mining
• Stealing cookies and other information
• Installing other malware
• Entire device takeover

The browser extension takes the multi-tool approach, allowing it to act as a remote access Trojan (RAT).

What Exactly is Cloud9 Botnet?

Cloud9 botnet has been active since 2017 and has three JavaScript files. Research shows that the extension’s author updated it in 2020 to proliferate websites as a single JavaScript that can be added to any website using script tags.

Cyber experts link Cloud9 to Keksec Malware Gang — a well-resourced group — famous for creating botnet-for-hire. As the Cloud9 malware is quite trivial and free, many malware groups or individual hackers can use it for specific ii-intended purposes.

The Risk that Cloud9 Malware Poses to Business Users

While Cloud9 offers a platform for malicious activities, the author didn’t design it for specific users. The malware targets all types of users and retrieves user information for both business and individual users. The malware is much a consumer threat as it is a personal threat to increase the attack surface.

Attackers take advantage of the platform and use the botnet to infiltrate computers and escalate malicious activity. The most threatening capability of the Cloud9 malware include:

• The ability to fetch malicious resources and install them on users’ machines to propagate further attacks
• Stealing clipboard data to try to get login credentials or credit card numbers
• Cookie theft to compromise users’ session
• Ability to launch Layer 4/ Layer 7 hybrid attacks, which can then be used to execute a DDoS attacks on your machine
• Key logging to steal passwords and other confidential information
• Operating system and browser detection to deliver next-stage payloads
• Ads injection to force pop-ups
• Silently loading web pages for ads and malicious code injections
• Cryptocurrency mining using the victim’s device, browser, and resources
• JavaScript code execution from unknown sources to propagate further malicious code delivery
• Ability to send a browser exploit to inject malicious code
• Ability to take complete control of victim’s devices

All these capabilities make the malware a potential threat to users.

How the Cloud9 Botnet Attack Happens

Most Cloud9 attacks are multifaceted and execute several malicious activities simultaneously. The worst part is that it can escape the browser and run malware on the victim’s device.

Here’s an outline of how Cloud9 attacks usually occur:

• Step 1: The main feature of the Cloud9 extension is in a file called campaign.Js that attackers can use as a standalone to redirect victims to malicious websites.
• Step 2: The first task of campaign.js is to identify the victims’ OS and browser type.
• Step 3: Then, campaign.js will inject a JavaScript file into the user’s browser to mine cryptocurrency using the victim resources. Consequently, the user will experience diminished device performance, increased energy usage, and reduced hardware lifespan.
• Step 4: Cloud9 then injects another script with a full-chain exploit for vulnerabilities on Firefox on a Windows, OS 64 bits machine. If successful, the exploit will fetch Window-based malware to allow the hacker to take over the entire system.

The Cloud9 malware can affect other browsers, such as Internet Explorer, Edge, or Brave. If successful, the attacker gains the user’s right as the current user to execute codes on the victim’s device.

If the user is logged on with administrative rights, a hacker can:

• Install malicious programs
• Change security settings
• View, change, or delete data
• Create a new account with full user right

The attacker can also use the malware’s capabilities to send POST requests to any domain and execute a layer 7 DDoS attack.

How The Cloud9 Malware Spreads

Cybersecurity experts believe that a group of hackers called Keksec are running the latest malware distribution campaign. The threat actor uses side-loading through fake malicious and executable websites that initiate the Adobe Flash Players updates.

You can also get infected with the Cloud9 malware through malicious spam, fake email links and attachments, and Trojan-infected downloads.

How Businesses Can Protect Themselves From Cloud9 Malware

The vast capabilities of Cloud9 mean that organizations should be on high alert. After all, a typical endpoint security solution cannot detect the attack of this vector, making browsers in your business susceptible and vulnerable.

The best way you can protect your company is by:

• Training employees about the risks associated with browser extensions
• Checking what security controls your business has in place for such a risk
• Ensuring all browsers on your company’s PCs are official Chrome extensions and deleting the unofficial ones
• Updating your browsers to interrupt any tracks of the attacker
• Downloading extensions only from official verified channels

You’ll never find the Cloud9 extension on any official browser extension store. The malware distribution relies on threat actor communities sharing to deliver to victims.

The best way to protect your business against Cloud9 botnet is to create awareness of the dangers of unofficial extensions among your employees.

Help Put a Stop to the New Vicious Cloud9 Threat

Businesses should be concerned about the Cloud9 malware because it can bypass a typical endpoint detection system. An attacker might camp in your company’s IT system, only for you to realize when it’s too late.

Your best protection is educating employees about the dangers of using web browser extensions and creating cybersecurity awareness.  More importantly, ensure your security frameworks can detect and handle malware from unsuspected attack vectors.