"Malicious 'Cloud9' Chrome Extension Operates Like a Remote Access Trojan"

Researchers have discovered the "Cloud9" malicious Chrome browser extension, which steals information available during a browser session and then installs malware to take control of the entire device. Cloud9 behaves like a Remote Access Trojan (RAT) and performs at least ten different types of malicious activities, including cookie stealing, keylogging, Layer 4/Layer 7 hybrid attacks, and OS and browser detection for next-stage payloads, according to the Zimperium zLabs team. The malware was also said to have originated from the Keksec malware group, which was founded in 2016 by botnet actors. This organization is best known for its Distributed Denial-of-Service (DDoS) attacks, mining-based malware, and botnets. The ability of this malware to avoid existing endpoint detection systems is particularly concerning, according to Bud Broomhead, CEO of Viakoo. As Broomhead points out, this is similar to how threat actors have targeted Internet of Things (IoT) devices and Operational Technology (OT) systems, which are not supported by traditional Information Technology (IT) security solutions. Many browsers are used as interfaces to OT equipment, especially to access management and control consoles. This could be a way for IoT/OT devices to be exploited by malicious actors. According to John Bambenek, Netenrich's principal threat hunter, this malware primarily exploits older browser vulnerabilities, so security teams should keep browsers patched and updated. However, any functionality or extension added to the browser, as well as configuration changes, can have serious security implications. The browser configuration should be tightly controlled and only allow the installation of specific browser extensions. This article continues to discuss the Cloud9 malicious Chrome browser extension observed stealing session information and then installing malware to take control of the device.

SC Magazine reports "Malicious 'Cloud9' Chrome Extension Operates Like a Remote Access Trojan"

Submitted by Anonymous on