uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

Rilide Data Theft Malware Updates to Comply with Chrome Extension

Rilide is a new variant of malware that targets Chromium-based web browsers in an effort to steal cryptocurrency and sensitive data.

Pawel Knapczyk, a security researcher with Trustwave, claimed in a report shared with The Hacker News that the extension "exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3 and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures.".

The cybersecurity firm discovered two distinct attack chains using Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and cryptocurrency theft in April 2023, which is when Rilide was first identified. A performer by the name of "friezer" is selling it for $5,000 on dark web forums.

The malware has a wide range of features that enable it to disable other browser add-ons, gather browsing history and cookies, collect login credentials, take screenshots, and inject malicious scripts to withdraw money from different cryptocurrency exchanges.

As a result of the extension's use of Chrome Extension Manifest V3, a contentious change to Google's application programming interface (API) that aims to limit extensions' access to broad functionality, the updated version also shares similarities with malware known as CookieGenesis and tracked by Trellix.

malware called Rilide Data Theft.
One of the significant updates, according to Knapczyk, is that extensions can no longer load remote JavaScript code and run arbitrary strings. "Specifically, all logic must be included in the extension package to enable a more dependable and efficient review process for extensions submitted to the Chrome Web Store. ".

The malware relies on the use of inline events to execute malicious JavaScript code, according to Trustwave, who added that this has resulted in a complete refactoring of Rilide's core capabilities.

In order to trick unwary users into installing the malware as part of three different campaigns, two Rilide artifacts that have been discovered in the wild imitate the GlobalProtect app from Palo Alto Networks. Users in Australia and the U.S. are targeted specifically by one set of attacks. K.

It's believed that the threat actors use phony landing pages hosting genuine AnyDesk remote desktop software and employ vishing techniques to persuade potential targets to install the program, then use the remote access to deploy the malware.

Another important change to the mode of operation is the use of a PowerShell loader to alter the Secure Preferences file of the browser, which maintains the state of a user's individual browsing session, in order to launch the application with the extension loaded permanently.

Based on the registrant data, a deeper examination of the command-and-control (C2) domain reveals connections to a larger group of websites, many of which have been seen hosting malware like Bumblebee, IcedID, and Phorpiex.

It's important to note that the Rilide extension's source code was compromised in February 2023, raising the possibility that threat actors other than the original author may have taken over the development efforts.