The principle of the malware is very similar to CryptoClipper, recently discovered by Kaspersky Lab.
Chromium-based web browsers have fallen victim to a new malware called Rilide. The malware disguises itself as a legitimate Google Drive extension and allows attackers to perform a wide range of malicious activities, including monitoring browsing history, taking screenshots, and most importantly, injecting malicious scripts to steal victim funds from various cryptocurrency exchanges.
Rilide can also display fake pop-up dialogs to trick users into entering a two-factor authentication code to 100% steal digital assets.
Trustwave claims to have found two different campaigns involving Ekipa RAT and Aurora Stealer that reset the Rilide bootloader, leading to the installation of a malicious Chromium extension.
While Ekipa RAT is spreading through malicious Microsoft Publisher files, Aurora Stealer's delivery vector has been fraudulent Google Ads ads. This method has become increasingly common among attackers in recent months.
Both attack chains greatly simplify the execution of the Rust-based Rilide loader, which in turn modifies the browser's shortcut file and uses the "--load-extension" launch option to launch the malicious add-on.
The exact origin of Rilide is unknown, but Trustwave said it was able to find an underground forum post posted in March 2022 by an attacker promoting the sale of a botnet with similar features.
One of the notable features of Rilide is the ability to replace the copied address of the victim's crypto wallet from the clipboard with the attacker's address from a hard-coded list. Just like in the CriptoClipper malware recently uncovered by Kaspersky Lab.
Trustwave specialists were able to track down the C2 server address specified in the Rilide code, and thereby identify various GitHub repositories where the cyberbandits stored downloaders for the correct installation of the malicious extension. GitHub was made aware of the issue and promptly removed the account.
“The Rilide cryptostealer is a prime example of the growing sophistication of malicious browser extensions and the dangers they pose. While the upcoming introduction of Manifest v3 may make it harder for attackers to work, it is unlikely to completely solve the problem, since most of the features used by Rilide will still be available,” Trustwave concluded.