On the harmful expansion reported Zimperium specialists who called it Cloud9 . As the researchers say, the harmfuls are able to intercept cookies, fix the keystrokes, introduce an arbitrary JavaScript code, minute cryptocurrency and use an infected device for conducting DDOS attacks. In addition to the theft of information, the botnet is able to set the malicious software on the victim’s device in order to take it off in full control.
The malicious addon cannot be found in official extensions for Chrome or Edge, it spreads only through dubious websites offering users to download Cloud9, disguised as Adobe Flash Player.
As soon as the victim sets the expansion, it immediately introduces a JS file called “Campaign.js” on all pages, after which it begins to minute the cryptocurrency on the victim’s device, and then introduces a script called “Cthulhu.js”.
The second script uses the vulnerability of the web browsers of Mozilla Firefox ( cve-2019-11708, cve-2019-9810 ), Internet Explorer ( cve-2014-6332 , 2016-0189 ) and edge ( CVE-2016-7200 ) to escape from the” sandbox “and deploy malicious software in the system.
After that, the script begins to work as a Keilger and a channel for launching additional commands received from the server of attackers, which allows him to steal from the buffer of the exchange, cookies and launch DDOS attacks.
Zimperium researchers believe that the KEKSEC group is behind the development of Cloud9 (aka Kek Security, Necro and Freakout), which has extensive experience in the development of botnets. One of her creations is the infamous Enemybot, which was used by attackers for mining cryptocurrencies and conducting DDOS attacks.