Chromium-based browser users targeted by Rilide malware
Security researchers from Trustwave SpiderLabs have discovered a new strain of malware called Rilide, which specifically targets users of Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Opera.
The Rilide extension is disguised as a legitimate Google Drive extension and is capable of collecting system information, exfiltrating browsing history, taking screenshots, and injecting malicious scripts. The extension aims to compromise email accounts, including Outlook, Yahoo, and Google, and cryptocurrency accounts, such as Kraken, Bitget, Coinbase, and more, by serving forged MFA requests.
According to security researchers Pawel Knapczyk and Wojciech Cieslak, Rilide’s crypto exchange scripts support an automatic withdrawal function. While the withdrawal request is made in the background, the user is presented with a forged device authentication dialog to obtain 2FA. Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser, with the withdrawal request email replaced with a device authorization request tricking the user into providing the authorization code.
The Rilide extension has been delivered through two separate campaigns, with the first using malicious Google ads, documents with macros, the Aurora stealer, and the Ekipa RAT (remote access trojan). It remains unclear whether there is any connection between the threat actors behind Ekipa RAT and those behind the Rilide infostealer, but it is probable that Ekipa RAT was tested as a means of distribution for Rilide before switching to Aurora stealer.
This is not the first time that SpiderLabs has observed malicious browser extensions, but the Rilide malware’s ability to utilize forged dialogs to deceive users into revealing their two-factor authentication and then withdrawing cryptocurrencies in the background is rare and effective. As part of their investigation, Trustwave SpiderLabs also discovered similar browser extensions being advertised for sale, and part of Rilide’s source code was recently leaked on an underground forum due to a payment dispute.
The sources for this piece include an article in HelpNetSecurity.