A new malware named Rilide is attacking web browsers that are based on Chromium. It disguises itself as a reliable extension to gather important information and steal cryptocurrency.
The Rilide malware pretends to be a valid Google Drive addition, but actually lets malicious operators perform a range of harmful actions, such as spying on browsing activity, capturing screen images, and interjecting malevolent codes to take funds from multiple cryptocurrency platforms. Trustwave SpiderLabs Research has released a report which they have shared with The Hacker News.
Furthermore, the malware that steals information can present fake pop-up windows to trick users into providing a two-factor authentication code to withdraw digital assets.
Trustwave has reported that they have detected two separate attacks that involved Ekipa RAT and Aurora Stealer, and these resulted in the installation of the harmful browser extension.
Ekipa RAT is spread through Microsoft Publisher files that are rigged with traps, while Aurora Stealer is transmitted using deceitful Google Ads. This method has become more frequent in the past few months.
The two methods of attack both enable a Rust-based program to be run, which then alters the browser's LNK shortcut file and utilizes the --load-extension command line switch to activate the add-on.
Trustwave has discovered a post on an underground forum dating back to March 2022, where a threat actor advertises the sale of a botnet with comparable features to Rilide. The precise beginning of Rilide remains a mystery.
Part of the code of the malicious software has been shared on forums due to what seems to be an unsettled financial disagreement.
One important characteristic added to the unlawfully disclosed source code is the capacity to exchange cryptocurrency wallet addresses in the clipboard with an address that is controlled by an attacker and implanted in the example.
Moreover, a C2 address mentioned in the Rilide code has facilitated the discovery of different GitHub repositories owned by a certain user called gulantin, which hold loaders for the extension. The concerned account on GitHub has been removed.
Trustwave has found that the Rilide thief is a good illustration of how malicious browser extensions are becoming more advanced and how they can be a threat.
The enforcement of manifest v3 in the future may present obstacles to threat actors, but it is improbable that the problem will be solved completely since Rilide will still have access to most of its functions.