Cybersecurity researchers at Trustwave SpiderLabs Research have discovered a new malware strain targeting Chromium-based web browsers to steal cryptocurrency.
Dubbed Rilide, the malware masquerades as a seemingly legitimate Google Drive extension. However, it lets hackers monitor browser history, take screenshots, and inject harmful scripts to siphon cryptocurrency.
Chromium-based browsers include Google Chrome, Microsoft Edge, Brave, and Opera.
“Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges,” says Trustwave SpiderLabs Research.
Rilide can also display false dialogs to persuade users to enter two-factor authentication codes to withdraw cryptocurrency.
Trustwave has identified two campaigns involving Ekipa RAT and Aurora Stealer that resulted in Rilide’s installation.
Ekipa RAT is spread through malicious Microsoft Publisher files, while Aurora Stealer’s delivery vector is rogue Google Ads.
Both infiltrated systems through the execution of a Rust-based loader that alters the Chromium browser’s LNK shortcut file to use the “—load-extension” command line switch to activate the extension.
While its origins are unknown, Trustwave said it found a dark web forum post advertising a botnet with similar functionalities in March 2022.
“The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose,” says Trustwave.
“While the upcoming enforcement of manifest v3 may make it more challenging for threat actors to operate, it is unlikely to solve the issue entirely as most of the functionalities leveraged by Rilide will still be available.”
