Malware, Application security, Vulnerability Management, Distributed Workforce

Malicious ‘Cloud9’ Chrome extension operates like a remote access trojan

Google Chrome pins and stickers
A Chrome extension dubbed "Cloud9" has been observed stealing session information and then installing malware to assume control of the device, according to Zimperium zLabs. (Photo by Justin Sullivan/Getty Images)

Editor's note: This story was updated Nov. 11 with comments from a Google spokesperson, who replied after initial publication.

Researchers reported discovering a malicious Chrome browser extension — dubbed "Cloud9" by the author — that steals the information available during a browser session and then installs malware to assume control of the entire device.

In a Tuesday blog post, the Zimperium zLabs team explained that Cloud9 behaves like a remote access trojan (RAT) and performs at least 10 different types of malicious activities, including cookie stealing, keylogging, Layer 4/Layer 7 hybrid attacks, and OS and browser detection for next stage payloads.

The researchers also said the malware originated from the Keksec malware group, which was originally formed in 2016 by botnet actors. This group has been best known for its DDoS, mining-based malware and botnets.

What’s most troubling about this malware is its ability to avoid existing endpoint detection systems, said Bud Broomhead, chief executive officer at Viakoo. Broomhead said this reinforces that threat actors are aiming to avoid traditional security solutions, in this case existing endpoint malware detection systems.

“It’s similar to how threat actors have been targeting IoT/OT systems, which are not supported by traditional IT security solutions,” said Broomhead. “Many browsers are used as interfaces to OT equipment, specifically to access consoles that manage and control these systems. This could be a path for IoT/OT devices being exploited."

John Bambenek, principal threat hunter at Netenrich, added that this malware primarily uses older browser vulnerabilities, so security teams should keep browsers patched and updated.

“That being said, any functionality or extension added into the browser or config changes can have profound security implications,” Bambenek said. “The browser config should be tightly controlled and only allow specific browser extensions to be installed.” 

Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, called Cloud9 "a relatively nasty RAT" which, aside from using cycles on a machine to mine crypto, can deliver second-stage malware. Fulmer said it’s unique in the way it could be included as a part of a malicious executable, but also run as a standalone, delivered-to-machine via remote and executed.

“The second part is the most dangerous and plays on something widely talked about in the security world — clicking on suspicious links,” Fulmer said. “All that's needed is the malicious javascript file to be embedded on a site with scripting hooks, and you could easily weaponize any site you like. What if someone gained access to a large search engine like Google and embedded the script at the very end of the page, how many people could they impact and how wide of a net could they cast on gaining access to environments by harvesting credentials?”

A spokesperson for Google noted that the malicious extension was not available in the tech giant's official store, adding: “We always recommend users update to the latest version of Google Chrome to ensure they have the most up-to-date security protections. Users can also stay better protected from malicious executables and websites by enabling Enhanced Protection in the privacy and security settings in Chrome. Enhanced Protection automatically warns you about potentially risky sites and downloads and inspects the safety of your downloads and warns you when a file may be dangerous.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.