Cloud9 Botnet Employs Malicious Extensions To Take Control Of Browsers and Windows
Unlike other malicious browser extensions, the extensions containing the Cloud9 malware have never been available on any official browser extension stores, as far as Zimperium is aware. Threat actors instead seem to spread the malware most commonly on websites offering fake Adobe Flash Player updates. While Adobe officially discontinued Flash Player in December 2020 and most modern web browsers don’t support Flash, some websites still offer Flash games and other web content. Some users may be driven to websites that promote Flash Player updates in the hopes of accessing this content.
As if malicious behavior inside infected browsers isn’t enough, Cloud9 can also break out of the browser to infect the operating system (OS). The malware begins by identifying a machine’s operating system and browser, then reaching out to a command-and-control (C2) server to download additional malicious payloads for further attacks. If the infected browser is Firefox, Microsoft Edge, or Internet Explorer and the underlying OS is Windows, Cloud9 can leverage different exploits to escape the browser.
The vulnerabilities in question are relatively old, dating from 2014 to 2019, and have since been patched. Nonetheless, four out of five of them appeared on the Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities Catalog in 2022, meaning threat actors are still exploiting these vulnerabilities because some machines are still running old versions of the affected web browsers. In order to avoid falling prey to the Cloud9 malware, users and organizations should make sure to install the latest security updates and refrain from installing browser extensions claiming to be Adobe Flash Player.