Zimperium zLabs threat researchers recently reported the case of the Cloud9 Chrome Botnet, and rightly so. Many of us seem to forget just how much information cybercriminals can steal from our browsers.

Zimperium published seven Cloud9 indicators of compromise (IoCs) to help users protect against the threat. We expanded that list aided by our WHOIS, IP, and DNS tools and found:

• 12 IP addresses to which the IoCs resolved, four of which were malicious
• 443 domains that shared the IoCs’ IP hosts
• 1,922 more domains that contained the same strings as the IoCs—“p27rjz4oiu53u4gm,” “zmsp,” “loginserv,” and “cloudminer”
• 12 subdomains that contained the same string combination—“cloud9 + bot”—found among the IoCs
• 10 malicious domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Blocking the Publicized IoCs May Not Be Enough

Threat actors can’t always clean up while and after launching attacks, and the Cloud9 operators, like any other attacker, may have left digital breadcrumbs that we can use to expand the current list of IoCs.

We used the seven domains Zimperium identified as IoCs to jumpstart our investigation. We began by subjecting them to DNS lookups, which led to the discovery of 12 unique IP addresses, six of which are:

• 103[.]198[.]0[.]111
• 107[.]174[.]133[.]119
• 18[.]117[.]28[.]81
• 185[.]184[.]223[.]195
• 202[.]61[.]204[.]169
• 70[.]66[.]139[.]68

Four of these IP hosts—103[.]198[.]0[.]111, 107[.]174[.]133[.]119, 202[.]61[.]204[.]169, and 70[.]66[.]139[.]68—turned out to be malicious. 107[.]174[.]133[.]119 and 70[.]66[.]139[.]68 were, in fact, reported for malicious activity 43 and two times, respectively, on AbuseIPDB. Eight of them pointed to U.S. origins while the remaining four were distributed across Canada, Germany, Japan, and Singapore. Three were hosted by Amazon.com, Inc. and the remaining were spread across six other Internet service providers (ISPs), including Canada-based Shaw Communications, Inc.; Backbone Telecommunications in Singapore; and xTom Limited in Japan.

Next, we used the IP addresses as reverse IP lookup search terms and found 443 more domains. A lot of these seem to also be related to cryptocurrencies in general (e.g., 0ftp[.]crypto-webminer[.]com, auth[.]crypto-webminer[.]com, and upload[.]crypto-webminer[.]com) and specific coins (e.g., bitcoin-pocket[.]eu, 00kemya00[.]anikapedia[.]bnbcraft[.]com, and 0moneroocean[.]crypto-webminer[.]com).

Using this list of cryptocurrencies as reference, we looked at how many domains contained “crypto” and some coins’ names.

Domain names suggesting they’re sources of generic crypto web miners dominated, followed closely by Bitcoin-themed domains. It isn’t surprising to see more “bitcoin”-containing domain names, given that the cryptocurrency still commands the highest monetary equivalent.

We also identified unique strings used among the IoCs, specifically “p27rjz4oiu53u4gm,” “zmsp,” “loginserv,” and “cloudminer.” Domains & Subdomains Discovery domain searches for these strings allowed us to uncover 1,922 additional web properties. Ten of the total 2,365 domains turned out to be malicious. We listed five of them below.

• cloudminers[.]us
• loginservice[.]gq
• cloud-loginserv[.]top
• loginserverfrengki[.]cf
• myinboxloginservice[.]com

One of the malicious domains—ezmspcloud[.]com—was a confirmed spam sender while the remaining nine were malware hosts.

Apart from the malicious domains above, adding the following to monitoring lists may also be worth it given that they contain the names or brands of legitimate companies despite not belonging to them based on WHOIS record comparisons:

• wecloudminers[.]com (WeCloud)
• dogecloudminer[.]co (Dogeminer)
• cloudminerbtc[.]com (Bitcoin)
• oraclecloudminer[.]com (Oracle)
• googleloginservice[.]tk (Google)
• facebookloginserver[.]tk (Facebook)
• icloud-loginservice[.]com (iCloud)
• applewebloginserver[.]com (Apple)
• paypal-loginservice[.]com (PayPal)
• alibabaloginservice[.]com (Alibaba)

Any of these additional domains could also figure in phishing campaigns targeting the companies whose names or brands appear in them.

Screenshot lookups for the 2,000+ domains yielded interesting results as well. The domains below, for instance, sported the Chrome logo even if it doesn’t belong to Google as per a WHOIS record comparison.

Screenshot of 810hao[.]com

We also looked for subdomains containing the same string combination—“cloud9 + bot”—as some of the IoCs. That led to the discovery of 12 subdomains. While none of them were malicious, a majority of them could be connected to the malicious Cloud9 infrastructure, including these five:

• botpress[.]cloud9[.]mattsgreen[.]net
• discordbot[.]cloud9c[.]repl[.]co
• discord-bot-1[.]cloud9c[.]repl[.]co
• forge-trybot[.]gamma[.]infrastructure[.]silk[.]cloud9[.]aws[.]dev
• forge-trybot[.]dev-akulb[.]infrastructure[.]silk[.]cloud9[.]aws[.]dev

Our IoC expansion exercise allowed us to identify four additional malicious IP addresses and 10 malicious domains that are or could be connected to Cloud9. Users would do well to avoid accessing them. Network administrators, meanwhile, may want to include them in their blocklists for utmost threat protection.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.