Beware of Rilide: The Cunning Malware Targeting Chromium-based Browsers And Stea...

Chromium-based web browsers are under attack by a new malware named Rilide. This insidious threat disguises itself as a seemingly legitimate Google Drive extension, enabling it to harvest sensitive data and steal cryptocurrency from unsuspecting users.

Unmasking Rilide: The Malware that Hides in Plain Sight

According to Trustwave SpiderLabs Research, Rilide malware presents itself as a genuine Google Drive extension, allowing cybercriminals to conduct a wide range of malicious activities. These activities include monitoring browsing history, capturing screenshots, and injecting harmful scripts to withdraw funds from various cryptocurrency exchanges illicitly.

Furthermore, Rilide can display fake dialogs, deceiving users into entering their two-factor authentication codes to withdraw digital assets.

Trustwave identified two distinct campaigns involving Ekipa RAT and Aurora Stealer, leading to installing the malicious browser extension. Ekipa RAT is distributed through booby-trapped Microsoft Publisher files. At the same time, rogue Google Ads serve as the delivery vector for Aurora Stealer – a method that has grown increasingly popular in recent months.

Both attack chains utilize a Rust-based loader, which modifies the browser’s LNK shortcut file and employs the “–load-extension” command line switch to launch the add-on.

Tracing Rilide’s Origins: Unearthing a Sinister Underground

The exact origins of Rilide remain unknown. However, Trustwave discovered an underground forum post from March 2022 in which a threat actor advertised the sale of a botnet with similar capabilities.

Part of Rilide’s source code has since emerged on the forums, seemingly due to an unresolved payment dispute. A noteworthy feature in the leaked source code allows the malware to swap cryptocurrency wallet addresses in the clipboard with an attacker-controlled address embedded in the sample.

A command-and-control (C2) address specified in Rilide’s code identified several GitHub repositories belonging to a user named “gulantin”. These repositories contain loaders for the malicious extension. GitHub has since taken down the implicated account.

The Growing Threat of Malicious Browser Extensions

Trustwave concludes that Rilide is a prime example of malicious browser extensions’ escalating sophistication and dangers. Although the upcoming enforcement of Manifest v3 may make it more difficult for threat actors to operate, it is unlikely to eradicate the issue entirely, as most of Rilide’s leveraged functionalities will still be accessible.

In conclusion, users must remain vigilant against the growing threat of malicious browser extensions like Rilide. By staying informed and exercising caution when installing extensions, users can better protect themselves from this and other insidious cyber threats. Moreover, they can keep their precious crypto assets safe from harm.

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.