Cloud9 — believed to be distributed by prominent dark web outfit “Keksec” — is not available on any official app store, instead, it is infecting users with Chromium-based browsers such as Google Chrome and Microsoft Edge via rigged Adobe Flash Player updates on malicious websites, Zimperium noted. The malware is akin to a Random Access Trojan (RAT) as it steals browser session information but has also been weaponized as a botnet — when a “bot herder” (i.e a hacker) infects and controls several hostage computers on a network. The malware is both a global consumer and an enterprise threat, while the number of affected victims at this time is unknown.
A RAT Module Weaponized Into a Botnet
Zimperium researchers confirmed in a Tuesday, Nov. 8 blog post that an “improved” version of the nasty Cloud9 malware circulated by malware group Keksec is compromising users globally. “We came across two different variants of this malware, one original and one improved version with extended capabilities and bug fixes, demonstrating how malicious actors are constantly iterating,” researchers said. Zimperium listed several ways in which the improved Cloud9 malware performs malicious activities, including stealing browser cookies, keylogging, launching DDoS attacks, and injecting code to take over devices. The malware can also enslave a device to mine cryptocurrency, stressing its hardware components.
Javascript Hack Files
On first inspection, researchers found the Cloud9 sample only contained a few Javascript files, but it turned out that these files were multi-purpose. A file named “campaign.js” first identifies the device’s operating system and injects a code that mines cryptocurrency in the background. This process “not only diminishes the performance of the device but reduces hardware lifespan and increases energy usage, which translates into a slow but steady monetary loss,” Zimperium said. The next file in the infection chain — aptly named “cthulhu.js” which alludes to the fictional Lovecraftian creature — exploits existing Firefox and Windows vulnerabilities by injecting Windows-based malware to slave the device to a hacker-controlled command server. In addition to this process, user keyboard inputs are recorded. As a result, Cloud9 can steal browser cookies and clipboard (copy-paste) data, perform “clickjacking,” crack encrypted hashes, supplement itself with additional malware tools on the fly and run DDoS attacks fueled by a botnet of victim devices. “Layer 7 attacks are usually very hard to detect because the TCP connection looks very similar to legitimate requests. The developer is likely using this botnet to provide a service to perform DDOS.”
‘Keksec’ Malware Group
The now prominent Keksec malware group was created in 2016 “by some botnet actors,” researchers said, which are known for DDoS and crypto-mining-based botnets and malware products on the dark web. First released in 2017, researchers traced an update to Cloud9 in 2020. Cloud9 is now being offered “either for free” or is being sold “for a few hundred dollars on various different hacker forums,” Zimperium added. “As it is quite trivial to use and available for free, it can be used by many malware groups or individuals for specific purposes,” researchers noted. Cloud9 can not only be leveraged to steal personal user data, but also business and client data in a way that sneaks by common security monitoring products. Multi-purpose malware like RAT trojans are all the rage these days, and criminals still bank on users and organizations dropping into a rigged website, infecting themselves accidentally. Malware authors’ tendency to improve their malware on the fly and design malware to infect multiple platforms is also something we’ve become used to seeing. In a recent forecast, cybersecurity specialists at Mandiant said readily available malware — among them info stealers and browser hijackers — will make it increasingly easy to hack into organizations in 2023. To protect yourself from malware threats like Cloud9, Zimperium recommends users are trained on third-party browser extensions and that enterprises tighten their security controls to reflect these risks. Make sure to take note of malware infection symptoms, such as your device overheating or slowing down notably. Also, ensure you’re well-secured with picks from our list of the five best cybersecurity tools.
