Official forum for Utopia Community
You are not logged in.
Rilide is a new variant of malware that targets Chromium-based web browsers in an effort to steal cryptocurrency and sensitive data.
Pawel Knapczyk, a security researcher with Trustwave, claimed in a report shared with The Hacker News that the extension "exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3 and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures.".
The cybersecurity firm discovered two distinct attack chains using Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and cryptocurrency theft in April 2023, which is when Rilide was first identified. A performer by the name of "friezer" is selling it for $5,000 on dark web forums.
The malware has a wide range of features that enable it to disable other browser add-ons, gather browsing history and cookies, collect login credentials, take screenshots, and inject malicious scripts to withdraw money from different cryptocurrency exchanges.
As a result of the extension's use of Chrome Extension Manifest V3, a contentious change to Google's application programming interface (API) that aims to limit extensions' access to broad functionality, the updated version also shares similarities with malware known as CookieGenesis and tracked by Trellix.
malware called Rilide Data Theft.
One of the significant updates, according to Knapczyk, is that extensions can no longer load remote JavaScript code and run arbitrary strings. "Specifically, all logic must be included in the extension package to enable a more dependable and efficient review process for extensions submitted to the Chrome Web Store. ".
The malware relies on the use of inline events to execute malicious JavaScript code, according to Trustwave, who added that this has resulted in a complete refactoring of Rilide's core capabilities.
In order to trick unwary users into installing the malware as part of three different campaigns, two Rilide artifacts that have been discovered in the wild imitate the GlobalProtect app from Palo Alto Networks. Users in Australia and the U.S. are targeted specifically by one set of attacks. K.
It's believed that the threat actors use phony landing pages hosting genuine AnyDesk remote desktop software and employ vishing techniques to persuade potential targets to install the program, then use the remote access to deploy the malware.
Another important change to the mode of operation is the use of a PowerShell loader to alter the Secure Preferences file of the browser, which maintains the state of a user's individual browsing session, in order to launch the application with the extension loaded permanently.
Based on the registrant data, a deeper examination of the command-and-control (C2) domain reveals connections to a larger group of websites, many of which have been seen hosting malware like Bumblebee, IcedID, and Phorpiex.
It's important to note that the Rilide extension's source code was compromised in February 2023, raising the possibility that threat actors other than the original author may have taken over the development efforts.
Offline
The Malware Threat Targeting Chromium-Based BrowsersIn light of recent reports from cybersecurity firm Trustwave, it's crucial for users of Chromium-based web browsers to be vigilant against the emerging threat of Rilide malware. This sophisticated variant poses a significant risk to both personal data and cryptocurrency holdings. With its ability to disable other browser add-ons, gather sensitive information, and execute malicious scripts, Rilide represents a new frontier in cybercrime.
Offline
As users, it's essential to stay informed about the latest security threats and take proactive measures to safeguard our online activities. This includes exercising caution when downloading browser extensions or software from unfamiliar sources, as well as regularly updating security software and conducting thorough scans for any signs of malicious activity.
Offline
Balancing Security and Functionality in Chrome ExtensionsThe introduction of Manifest V3 by Google aimed to enhance security by limiting the capabilities of Chrome extensions, yet it appears that malware developers have adapted to these changes, as evidenced by the emergence of Rilide. This raises important questions about the efficacy of Manifest V3 in thwarting sophisticated threats.
Offline
Manifest V3 may have succeeded in curbing certain malicious behaviors, such as the ability to load remote JavaScript code, it's evident that threat actors have found workarounds, such as utilizing inline events to execute malicious code. This underscores the ongoing cat-and-mouse game between cybersecurity experts and malicious actors in the digital landscape.
Offline