Threat Research

The Case of Cloud9 Chrome Botnet – Zimperium

Securonix

Zimperium zLabs uncovered Cloud9, a Chrome browser botnet/RAT that can steal cookies, log keystrokes, mine cryptocurrency, and drop additional malware on a victim’s device. It spreads via threat-actor communities using fake installers and malicious sites (not official stores) and is linked to the Keksec group. #Cloud9 #Keksec

Keypoints

  • Cloud9 operates as a remote access Trojan (RAT) embedded in a browser extension with multiple capabilities such as cookie theft, keylogging, crypto mining, and browser/OS detection for staged payloads.
  • The malware is distributed outside official stores through side-loading of fake executables and malicious websites masquerading as software updates (e.g., Adobe Flash Player).
  • The core payloads reside in campaign.js (and cthulhu.js); manifest.json injects campaign.js into all HTTP/HTTPS pages to enable broad infection.
  • Two exploit variants exist; the improved version combines both and uses CVE-2019-11708 and CVE-2019-9810 to drop Windows malware via Firefox on 64-bit Windows.
  • The botnet communicates with a C2 server, polls with a 20-second delay via pingHome, and can exfiltrate keystrokes, cookies, and form data triggered by various navigation events.
  • In addition to information theft, Cloud9 can perform POST-based layer-7 DDoS, execute external JavaScript, and mine cryptocurrency, widening its attack surface in enterprises and with consumers alike.
  • Attribution ties Cloud9 to Keksec, with history dating to 2017 and updates in 2020; the tool is sold in hacker forums and can be repurposed by multiple actors.
  • Defenses emphasize browser-centric risk, as traditional endpoint security may not monitor this vector; zBrowser Protect offers on-device detection to mitigate this threat.

MITRE Techniques

  • [T1059.007] JavaScript – The malware injects and executes JavaScript across pages; “The manifest.json file injects campaign.js on all http/https pages.”
  • [T1203] Exploitation for Client Execution – Uses browser exploits to drop Windows malware after CVE-2019-11708 & CVE-2019-9810; “a full-chain exploit for CVE-2019-11708 & CVE-2019-9810 targeting Firefox on a 64-bit Windows Operating System. Upon successful exploitation, it drops Windows-based malware on the device”.
  • [T1499] Denial of Service – Layer 7 DDoS capability via POST requests; “This functionality can be enhanced to carry out a layer 7 DDOS attack…”
  • [T1496] Resource Hijacking – Cryptocurrency mining on the victim’s device; “mines cryptocurrency on the browser”
  • [T1539] Steal Web Session Cookie – Cookie theft via document.cookie and sending to C2; “CookieStealing, which can compromise user sessions.”
  • [T1115] Clipboard Data – Steals clipboard data on paste events; “The window.onpaste event is fired… This code then steals that data and sends it to the C&C server.”
  • [T1082] System Information Discovery – OS and browser detection to tailor payloads; “OS and Browser detection, for next stage payloads”
  • [T1071.001] Web Protocols – C2 communication over web protocols via GET/POST; “The extension can also send POST requests to any domain”
  • [T1189] Drive-by Compromise – Distribution via fake installers and malicious sites outside official stores; “side-loading through fake executables and malicious websites disguised as Adobe Flash Player updates”
  • [T1003] Credential Dumping/Brute Force – Potential hash-cracking activity hinted by ‘cracking md5/sha1 hashes’; “cracking md5/sha1 hashes”

Indicators of Compromise

  • [IP] Context – 70.66.139.68, 107.174.133.119
  • [Domain] Context – http://download.agency/, http://download.loginserv.net/
  • [Domain] Context – https://cloud-miner.de/
  • [Hash] Context – d8159d8b2f82ca62d73e15f8fc9f38831090afe99a75560effb1ad81dcb46228, fc194cd7fe68424071feb3087cd5aa6616dfcd7cc06588d867505dd969f50db4
  • [Hash] Context – 4b7ba9632318c84115ec345e2c4d07283c6a81e0112bb38b9400f0fabeb8e3be, 062ebb3d6967744ecd9abba13fdae1edb2ae5248e228d1ad39800bc742815d02
  • [Hash] Context – f22eb3fab95165f994bb12c9764583939db12176a298aeb065586b7d01301165, Dc20a36d9e2e767bb994d29a50b75afc3ac757e430a7d6abb1fa8ef7fe44ebfa

Read more: https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint