Select Page

The Keksec threat actor has been linked to a previously undocumented malware strain, which has been observed in the wild masquerading as an extension for Chromium-based web browsers to enslave compromised machines into a botnet.

Called Cloud9 by security firm Zimperium, the malicious browser add-on comes with a wide range of features that enables it to siphon cookies, log keystrokes, inject arbitrary JavaScript code, mine crypto, and even enlist the host to carry out DDoS attacks.

The extension “not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device,” Zimperium researcher Nipun Gupta said in a new report.

The JavaScript botnet isn’t distributed via Chrome Web Store or Microsoft Edge Add-ons, but rather through fake executables and rogue websites disguised as Adobe Flash Player updates.

Once installed, the extension is designed to inject a JavaScript file called “campaign.js” on all pages, meaning the malware could also operate as a standalone piece of code on any website, legitimate or otherwise, potentially leading to watering hole attacks.

images from Hacker News