Chromium-based web browsers are being targeted by new malware. reride It masquerades as a seemingly legitimate extension to collect sensitive data and siphon off cryptocurrencies.
“Rilide malware disguises itself as a legitimate Google Drive extension that allows attackers to perform a wide range of malicious activities, including surveillance.
browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges,” said Trustwave SpiderLabs Research in a report shared with The Hacker News.
Additionally, stealer malware can display a forged dialog to trick users into entering a two-factor authentication code to withdraw digital assets.
Trustwave said it identified two different campaigns involving Ekipa RAT and Aurora Stealer that led to the installation of malicious browser extensions.
Ekipa RAT is distributed via booby-trapped Microsoft Publisher files, while malformed Google ads serve as the delivery vector for Aurora Stealer. The Aurora Stealer is a technique that has become increasingly popular in recent months.
Both attack chains facilitate the execution of Rust-based loaders, modify the browser’s LNK shortcut file, and launch add-ons using the “–load-extension” command line switch.
Rilide’s exact origins are unknown, but Trustwave says it was able to find an underground forum post made in March 2022 by a threat actor promoting the sale of a botnet with similar functionality. .
Some of the malware’s source code was then leaked to forums following what appeared to be an unresolved payment dispute.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
One notable feature implemented in the leaked source code is the ability to exchange cryptocurrency wallet addresses in the clipboard for actor-controlled addresses hardcoded in the sample.
Additionally, the command and control (C2) address specified in the Rilide code allowed us to identify various GitHub repositories belonging to a user named gulantin that contained the extension’s loader.
“The Rilide stealer is a prime example of the increasing sophistication and danger posed by malicious browser extensions,” concludes Trustwave.
“While the upcoming enforcement of Manifest v3 may make it more difficult for threat actors to operate, most of the features leveraged by Rilide will remain available, so the issue is unlikely to be fully resolved. It is low.”
