Home › Forums › JUST A RANT › Chrome extension lets attackers steal accounts and use host machines in DDoS attacks
- This topic is empty.
Viewing 1 post (of 1 total)
-
AuthorPosts
-
2022-11-09 at 20:34 #356443Nat QuinnKeymaster
Security researchers have discovered a Chrome browser botnet that uses malicious extensions to steal accounts, inject ads and malicious JavaScript code, log keystrokes, and exploit victims’ browsers in DDoS attacks.
Bleeping Computer reports that the botnet — called ‘Cloud9’ — is essentially a remote access trojan that lets malicious actors execute commands remotely.
The Cloud9 extension is not available on the official Chrome store but has been circulated through other channels, including websites offering bogus Adobe Flash Player updates.
The approach seems effective, with researchers at Zimperium claiming they have seen Cloud9 infections worldwide.
How it works
The Cloud9 extension comprises three JavaScript files designed to collect system information, leverage host resources to mine cryptocurrency, perform DDoS attacks, and inject code to run browser exploits.
Zimperium observed the loading of the following exploits for vulnerabilities on various browsers:
-
Firefox — CVE-2019-11708 and CVE-2019-9810.
-
Internet Explorer — CVE-2014-6332 and CVE-2016-0189.
-
Edge — CVE-2016-7200.
The exploits automatically install and run Windows malware on the host’s machine, which can lead to further system compromises.
However, the extensions are dangerous even without the Windows malware component, as they can steal browser cookies, which attackers can use to hijack valid user sessions and take over accounts.
The extension also includes a keylogger to steal passwords and sensitive information and a “clipper” component that monitors the system clipboard for passwords or credit card information.
Zimperium said the malware could also enlist the infected hosts to participate in layer 7 DDoS attacks.
“Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests,” it said.
“The developer is likely using this botnet to provide a service to perform DDOS.”
-
-
AuthorPosts
Viewing 1 post (of 1 total)
- You must be logged in to reply to this topic.