Click to Skip Ad
Closing in...

Watch out for malicious Chrome extensions that let hackers take control of your browser

Updated Dec 5th, 2022 10:38AM EST
Google highlights the best Chrome extensions with badges.
Image: Google

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

In recent weeks, we have covered several malicious browser extensions on the Chrome Web Store as well as dangerous apps on Google Play. Even on official channels, you should always be very careful, but the risk of encountering malicious software is far greater when you leave those channels. That was on display this week as a new malicious Chrome extension capable of controlling browsers remotely was discovered in the wild.

According to the Zimperium zLabs threat research team, a malicious browser extension that the creator dubbed Cloud9 has been making the rounds.

Unlike the Chrome extensions we covered late last month, Cloud9 hasn’t yet invaded official browser extension stores. Instead, the threat actors have been relying on other distribution methods. Zimperium says those methods include “side-loading through fake executables and malicious websites disguised as Adobe Flash Player updates.”

Zimperium says that there are two variants of the botnet currently wreaking havoc online. One is the original, and the other is an “improved version” that is even more dangerous. Here are all of the terrifying capabilities of the improved version of the botnet:

  • Send GET/POST requests, which can be used to get malicious resources.
  • CookieStealing, which can compromise user sessions.
  • Keylogging, that could be used to steal passwords among other things.
  • Layer 4 / Layer 7 hybrid attack, used to perform DDos attacks from the victim’s PC.
  • OS and Browser detection, for next stage payloads
  • Open Pop-unders, used to inject ads.
  • Execute JavaScript Code from other sources, used to inject more malicious code.
  • Silently load webpages, used to inject ads or to inject more malicious code.
  • Mine cryptocurrencies on the browser, to use the victim’s computer resources to mine cryptocurrency.
  • Send browser exploit, used to take control of the device by executing malicious code in the device.

The zLabs team says that the Keksec malware group is responsible for the Cloud9 botnet. It was first discovered in 2017 but was updated again in 2020. The team also claims that many hacker forums are giving the botnet away for free.

You shouldn’t need any more reasons to avoid downloading anything resembling a browser extension from a source you don’t trust. That said, here’s another.

More Google news: You’re stuck with the Gmail redesign starting this month

Jacob Siegal
Jacob Siegal Associate Editor

Jacob Siegal is Associate Editor at BGR, having joined the news team in 2013. He has over a decade of professional writing and editing experience, and helps to lead our technology and entertainment product launch and movie release coverage.