Web browsers contain the most lucrative pieces of information about a user and thus are becoming an interesting target for malware developers. Every keystroke or session cookie can contain very private information about a user, and access to such information can create critical security and privacy issues.
The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.
Cloud9 was never found on any official browser extension store, instead relying on distribution through threat actor communities, where users of the tool would then hide the malware to deliver to victims. These distribution methods can carry, but the most common we witnessed during the investigation were side-loading through fake executables and malicious websites disguised as Adobe Flash Player updates.
What Can the Cloud9 Botnet Do?
Cloud9 acts like a remote access trojan (RAT) with many functionalities. We came across two different variants of this malware, one original and one improved version with extended capabilities and bug fixes, demonstrating how malicious actors are constantly iterating. The second variant is a modification of the first with far more capabilities and a few bug fixes. Our discussion will focus on the “improved” version, as it contains the functionalities of both variants.
The main functionalities of this malware that can be used to perform malicious activities are:
- Send GET/POST requests, which can be used to get malicious resources.
- CookieStealing, which can compromise user sessions.
- Keylogging, that could be used to steal passwords among other things.
- Layer 4 / Layer 7 hybrid attack, used to perform DDos attacks from the victim’s PC.
- OS and Browser detection, for next stage payloads
- Open Pop-unders, used to inject ads.
- Silently load webpages, used to inject ads or to inject more malicious code.
- Mine cryptocurrencies on the browser, to use the victim’s computer resources to mine cryptocurrency.
- Send browser exploit, used to take control of the device by executing malicious code in the device.
How Does the Cloud9 Chrome Botnet Work?
In this malicious extension, the manifest.json file injects campaign.js on all http/https pages.
Installed chrome extension on Google Chrome.
The next step on the chain is injecting another script named cthulhu.js. This file contains a full-chain exploit for CVE-2019-11708 & CVE-2019-9810 targeting Firefox on a 64-bit Windows Operating System. Upon successful exploitation, it drops Windows-based malware on the device, enabling the threat actor to take over the entire system.
After identifying the browser type, the script adds a new event listener using the onkeypress event, which is fired when any key producing a character is pressed. Whenever this event is fired, the corresponding keystroke value is appended to a variable. This keylogging data, along with any “form” data present on the current webpage, is sent to the C&C whenever any of the following events is fired:
- unload event which is fired in the following cases:
- The browser window has been closed.
- When the user navigates away from the page (by clicking on a link, submitting a form, closing the browser window, etc.).
- When a user reloads the page
- beforeunload event occurs when the document is about to be unloaded
- popstate event of the Window interface is fired when the active history entry changes while the user navigates the session history
- pagehide event is sent to a Window when the browser hides the current page in the process of presenting a different page from the session’s history. For example, when the user clicks the browser’s Back button, the current page receives a pagehide event before the previous page is shown.
These events make sure that the data is sent to the C&C as soon as the user navigates to a different page.
1. Stealing Cookies
If the command received from the C&C is “cookie”, the malware will extract the cookie and location using document.cookie and document.location respectively. It will then send this information to the browser.
The imageLoad function in the figure below simply creates an empty image and sets the src attribute to the argument passed, this will create the http request, as the browser will try to retrieve the image from that URL in src attribute.
2. Stealing Clipboard Data
The window.onpaste event is fired whenever the victim pastes some content into an element. This code then steals that data and sends it to the C&C server. Any data that is pasted in the browser, such as login credentials and credit card numbers, can be stolen and sent to the C&C. This behavior can be especially dangerous in cases where the user stores password in any password manager and copies and pastes the password or other sensitive information in the infected browser session.
One of the most interesting features of this malware is that it uses browser exploits to escape the browser and tries to execute the malware on the victim’s device. We already mentioned the Firefox exploit that was used to drop a malicious exe file. Apart from that, this malware uses a few more browser exploits for Internet Explorer (CVE-2014-6332, CVE-2016-0189) and Edge (CVE-2016-7200). If an attacker successfully exploits this vulnerability, they could gain the same user rights as the current user and can execute code on the victim’s device as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In this case, the CVEs were used for the same purpose, to inject arbitrary code that can be run as the current user outside the browser.
4. POST requests and layer 7 attack
The extension can also send POST requests to any domain. This functionality can be enhanced to carry out a layer 7 DDOS attack if the attacker has a significant number of victims connected as botnets. Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests. The developer is likely using this botnet to provide a service to perform DDOS.
The Threat Actors
The origin of this malware comes from the Keksec malware group, which was originally formed in 2016 by some botnet actors. This group is popular for its DDOS and mining-based malware and botnets.
How does Cloud9 Impact Enterprise Clients?
This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information. The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration.
The Cloud9 malware does not target any specific group, meaning it is as much an enterprise threat as it is a consumer threat. The keystrokes can contain sensitive user information such as passwords and thus can be leveraged to access more sensitive information such as critical business data, client data, and even personal data, without any knowledge of the user. Its ability to install additional malware onto the victim’s machine increases its risk profile to an enterprise, bypassing traditional vectors of attack commonly monitored by endpoint security products.
The Victims of Cloud9 Chrome Botnet
The number of victims affected by this is still unknown. Still, it is quite clear that this malware group is targeting all browsers and operating systems and thus trying to increase their attack surface. We found some screenshots from a hacker forum where the threat actor showcases the victims they have under attack.
As the image below indicates, we can clearly state that victims of this attack are not limited to a specific country or a specific browser.
Zimperium vs. Cloud9 Botnet
Enterprise customers of Zimperium are protected against the Cloud9 malicious extension with Zimperium zBrowser Protect through on-device detection and determination. Zimperium zBrowser Protect uses a combination of heuristics to identify this malicious extension even when the extension ID is completely different for each victim.
Traditional endpoint security solutions are not monitoring this vector of attack, leaving browsers susceptible and vulnerable. Users should be trained on the risks associated with browser extensions outside of official repositories, and enterprises should consider what security controls they have in place for such risks.
Indicators of Compromise
IPs and Domains
Screenshots from the hacker forum where the malware was distributed: