Using their Zimperium zLabs research department, Zimperium researchers have discovered a malicious browser extension, dubbed Cloud9. This extension is designed to steal private and sensitive user information and to completely take over the victim's computer.
Cloud9 is very unnerving because it steals data directly from your computer by monitoring your keystrokes (i.e. keylogging). Cybercriminals would delight in spying on victims' web browser activity since spying can be done through web browsers. After all, it is while you are browsing the web that you are more likely to input highly sought-after credentials, including your bank passwords and other sensitive information.
Even though you are browsing the web during the time that you are more likely to input highly sought-after credentials, such as your bank passwords or other sensitive information, it is very easy to enter these credentials while you are online.
In terms of Cloud9, what information do we have?
As its name suggests, Cloud9 is a botnet that operates as a remote access trojan (RAT) because of the operation method employed. It was found that there were two different versions of Cloud9 that were encountered by researchers: the original and an improved version. The investigators focused their attention in the report, however, on the latter because it "contains all of the functionalities of both variants" according to the report.
• This type of software runs on a computer to track your keystrokes to steal your credit card information, bank passwords, and more.
• Using the clipboard, steal your data that was copied and pasted (e.g., you copied it and pasted it).
• To compromise the user's session, steal your cookies and use them to do so.
• Cryptocurrencies can be mined using the resources of your browser and computer.
• By inserting malicious code into your device, you will be able to take full control of it.
• From your PC, you can perform DDoS attacks against other websites.
• A pop-up or an advertisement can be injected into the page.
The Zimperium zLabs team claims that although Cloud9 is a malicious browser plugin, it cannot be found in any official repository for browser extensions (e.g. Chrome Web Store), despite it being a known malware on the internet. Researchers have found that Cloud9 has been masquerading as an Adobe Flash Player update on malicious websites more frequently than not, according to the research.
What is the history of Cloud9 and where did it come from?
A malware group called Keksec was connected to Cloud9 by the investigators to trace its origin. There have been many attacks targeted by this group that has been associated with mining-related malware, said Zimperium zLabs researchers.
It seems as though the Cloud9 botnet is currently being sold for a few hundred dollars or for free on several hacker forums throughout the world. A report from the company warned that this malware was not targeting a specific type of group. To exploit as much valuable information as possible from all users, cyber criminals target all users to maximize their profits from their exploits.
In a report released by Zimperium, it was said that because traditional endpoint security solutions do not monitor this vector of attack, browsers are susceptible. However, Cloud9 should remain a distant threat as long as you do not side-load extensions from malicious websites into your browser or use fraudulent executables that originate from malicious websites.