With Cloud9 being spotted on cybercrime forums, the operators could be selling its malicious extension to interested parties. “The developer is likely using this botnet to provide a service to perform DDOS.”Īnother way the threat actors behind Cloud9 generate even more illicit income is by injecting advertisements and then loading these webpages in the background to accrue ad impressions. “Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests,” Zimperium stated. A “clipper” module was also discovered in the extension, which allows the PC to access copied passwords or credit cards. Multiple vulnerabilities are being exploited, Zimperium notes, including CVE-2019-11708 and CVE-2019-9810 in Firefox, CVE-2014-6332 and CVE-2016-0189 for Internet Explorer, and CVE-2016-7200 for Microsoft Edge.Īlthough the vulnerabilities are commonly used to install Windows malware, the Cloud9 extension can steal cookies from a browser, allowing hackers to take over valid user sessions.įurthermore, the malware comes with a keylogger - software that can essentially send all your key presses to the attackers. The foundation of Cloud9 is three central JavaScript files that can obtain information of the target system, and mine cryptocurrency on that same PC in addition to injecting scripts in order to launch browser exploits. Security researchers at Zimperium have confirmed that Cloud9 infection rates have been detected in multiple regions around the world.
0 kommentar(er)
