Chrome extension lets attackers steal accounts and use host machines in DDoS attacks

This topic is empty.

Viewing 1 post (of 1 total)

Author

Posts
2022-11-09 at 20:34 #356443
Nat Quinn
Keymaster
Security researchers have discovered a Chrome browser botnet that uses malicious extensions to steal accounts, inject ads and malicious JavaScript code, log keystrokes, and exploit victims’ browsers in DDoS attacks.

Bleeping Computer reports that the botnet — called ‘Cloud9’ — is essentially a remote access trojan that lets malicious actors execute commands remotely.

The Cloud9 extension is not available on the official Chrome store but has been circulated through other channels, including websites offering bogus Adobe Flash Player updates.

The approach seems effective, with researchers at Zimperium claiming they have seen Cloud9 infections worldwide.

How it works

The Cloud9 extension comprises three JavaScript files designed to collect system information, leverage host resources to mine cryptocurrency, perform DDoS attacks, and inject code to run browser exploits.

Zimperium observed the loading of the following exploits for vulnerabilities on various browsers:
- Firefox — CVE-2019-11708 and CVE-2019-9810.
- Internet Explorer — CVE-2014-6332 and CVE-2016-0189.
- Edge — CVE-2016-7200.
The exploits automatically install and run Windows malware on the host’s machine, which can lead to further system compromises.

However, the extensions are dangerous even without the Windows malware component, as they can steal browser cookies, which attackers can use to hijack valid user sessions and take over accounts.

The extension also includes a keylogger to steal passwords and sensitive information and a “clipper” component that monitors the system clipboard for passwords or credit card information.

Zimperium said the malware could also enlist the infected hosts to participate in layer 7 DDoS attacks.

“Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests,” it said.

“The developer is likely using this botnet to provide a service to perform DDOS.”

Chrome extension lets attackers steal accounts and use host machines in DDoS attacks (mybroadband.co.za)
Author

Posts

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Chrome extension lets attackers steal accounts and use host machines in DDoS attacks

Security researchers have discovered a Chrome browser botnet that uses malicious extensions to steal accounts, inject ads and malicious JavaScript code, log keystrokes, and exploit victims’ browsers in DDoS attacks.

Bleeping Computer reports that the botnet — called ‘Cloud9’ — is essentially a remote access trojan that lets malicious actors execute commands remotely.

The Cloud9 extension is not available on the official Chrome store but has been circulated through other channels, including websites offering bogus Adobe Flash Player updates.

The approach seems effective, with researchers at Zimperium claiming they have seen Cloud9 infections worldwide.

How it works

The Cloud9 extension comprises three JavaScript files designed to collect system information, leverage host resources to mine cryptocurrency, perform DDoS attacks, and inject code to run browser exploits.

Zimperium observed the loading of the following exploits for vulnerabilities on various browsers:

Firefox — CVE-2019-11708 and CVE-2019-9810.

Internet Explorer — CVE-2014-6332 and CVE-2016-0189.

Edge — CVE-2016-7200.

The exploits automatically install and run Windows malware on the host’s machine, which can lead to further system compromises.

However, the extensions are dangerous even without the Windows malware component, as they can steal browser cookies, which attackers can use to hijack valid user sessions and take over accounts.

The extension also includes a keylogger to steal passwords and sensitive information and a “clipper” component that monitors the system clipboard for passwords or credit card information.

Zimperium said the malware could also enlist the infected hosts to participate in layer 7 DDoS attacks.

“Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests,” it said.

“The developer is likely using this botnet to provide a service to perform DDOS.”

Quick Links

Points of Interest

Legal Info