Rilide masquerades as a legitimate Google Drive extension and allows cybercriminals to carry out a variety of activities including getting browsing history data, taking screenshots, and withdrawing funds from various cryptocurrency exchanges.
Cybersecurity researchers at Trustwave SpiderLabs have discovered a new strain of malware called Rilide that targets Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Opera and steals users’ cryptocurrencies.
Rilide virus impacts crypto holders
Rilide differs from other malware strains that SpiderLabs has encountered in that it employs forged dialogs to deceive users into handing off their revealing their two-factor authentication (2FA) codes. This allows the malware to withdraw cryptocurrencies in the background without the user’s knowledge.
During the investigation into Rilide’s origins, the researchers found similar browser extensions being advertised for sale and discovered that part of its code was recently released on an underground forum due to a payment dispute.
The researchers uncovered two malicious campaigns that lead to the installation of the Rilide extension. One such campaign involved a module that contained an encoded blob of data storing the URL for the Rilide loader.
The payload, which was hosted on Discord CDN, was saved to the %temp% directory and executed via the start-process PowerShell cmdlet.
Rilide leverages a Rust loader to install the extension if a Chromium-based browser is detected. The loader modifies shortcut files opening targeted web browsers, so that they are executed with the parameter –load-extension that points to the dropped malicious Rilide extension.
The malware’s background script attaches a listener to certain events and removes the Content Security Policy (CSP) directive for all requests, allowing the extension to perform an attack and load external resources that would be blocked by the CSP without such an approach.
Rilide’s crypto exchange scripts support a withdrawal function. While the withdrawals are processed in the background, the user is presented with a forged device authentication dialog to obtain their 2FA code. Email confirmations are replaced on the fly if the user enters their mailbox using the same web browser, tricking the user into providing the authorization code.
In the course of their research, SpiderLabs found several stealer extensions for sale with capabilities similar to Rilide, but they were unable to definitively link any of them to the malware. They also discovered a botnet sale advertisement from an underground forum dated March 2022, which included features such as a reverse proxy and ad clicker.
The botnet’s automatic withdrawal function attacked the same exchanges observed in the Rilide samples.
Rilide serves as a prime example of the developing sophistication of malicious browser extensions and the dangers they pose. Although the upcoming enforcement of manifest v3 may pose more challenges for threat actors to operate, it is rather unlikely to solve the issue completely, as most of the functionalities leveraged by Rilide will still be available.
To protect against such threats, it is essential to remain vigilant when receiving unsolicited emails or messages, and to stay informed about the latest cybersecurity threats and safety practices to minimize the risk of falling victim to phishing attacks.