Malicious Chrome browser extensions are being leveraged by the novel Chrome botnet Cloud9 to facilitate online account theft, keystroke logging, and ad and malicious JavaScript code injections, as well as distributed denial-of-service attacks, BleepingComputer reports.
Threat actors have been using fake Adobe Flash Player updates to spread Cloud9, which contains JavaScript files with system information collection, cryptocurrency mining, DDoS attack execution, and script injection capabilities, according to a report from Zimperium.
Aside from exfiltrating compromised browsers' cookies, Cloud9 could also enable user session hijacking and account takeovers. Passwords and other sensitive data could also be stolen by a keylogger within the malware, while the malware's clipper module also tracks copied credit cards and passwords. Cloud9 was also observed to execute layer 7 DDoS attacks, which Zimperium said are "very hard to detect."
Cloud9 has been associated with the Keksec malware operation, with Zimperium noting the usage of the same C2 domains in the Cloud9 campaign and previous attacks by Keksec.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.