In recent weeks, we have covered several malicious browser extensions on the Chrome Web Store as well as dangerous apps on Google Play. Even on official channels, you should always be very careful, but the risk of encountering malicious software is far greater when you leave those channels. That was on display this week as a new malicious Chrome extension capable of controlling browsers remotely was discovered in the wild.
According to the Zimperium zLabs threat research team, a malicious browser extension that the creator dubbed Cloud9 has been making the rounds.
Unlike the Chrome extensions we covered late last month, Cloud9 hasn’t yet invaded official browser extension stores. Instead, the threat actors have been relying on other distribution methods. Zimperium says those methods include “side-loading through fake executables and malicious websites disguised as Adobe Flash Player updates.”
Zimperium says that there are two variants of the botnet currently wreaking havoc online. One is the original, and the other is an “improved version” that is even more dangerous. Here are all of the terrifying capabilities of the improved version of the botnet:
- Send GET/POST requests, which can be used to get malicious resources.
- CookieStealing, which can compromise user sessions.
- Keylogging, that could be used to steal passwords among other things.
- Layer 4 / Layer 7 hybrid attack, used to perform DDos attacks from the victim’s PC.
- OS and Browser detection, for next stage payloads
- Open Pop-unders, used to inject ads.
- Silently load webpages, used to inject ads or to inject more malicious code.
- Mine cryptocurrencies on the browser, to use the victim’s computer resources to mine cryptocurrency.
- Send browser exploit, used to take control of the device by executing malicious code in the device.
The zLabs team says that the Keksec malware group is responsible for the Cloud9 botnet. It was first discovered in 2017 but was updated again in 2020. The team also claims that many hacker forums are giving the botnet away for free.
You shouldn’t need any more reasons to avoid downloading anything resembling a browser extension from a source you don’t trust. That said, here’s another.
More Google news: You’re stuck with the Gmail redesign starting this month