uTalk
Official forum for Utopia Community
You are not logged in.
- Topics: Active | Unanswered
#1 2023-04-04 22:01:04
- thrive
- Member
- Registered: 2023-01-04
- Posts: 1,974
Chromium browsers are the target of Rilide malware that steals crypto
Rilide is a new piece of malware that targets Chromium-based web browsers and poses as a legitimate extension in order to steal cryptocurrency and harvest sensitive information.
"Rilide malware impersonates a legitimate Google Drive extension and gives threat actors access to a wide range of malicious operations, including monitoring.
Trustwave SpiderLabs Research noted that attackers were "browsing history, taking screenshots, and injecting malicious scripts to withdraw money from different cryptocurrency exchanges.".
Additionally, users can be tricked into entering a two-factor authentication code to withdraw digital assets by the stealer malware's ability to display forged dialog boxes.
The malicious browser extension was installed as a result of two separate campaigns, according to Trustwave, involving the Ekipa RAT and Aurora Stealer.
Ekipa RAT is spread through malicious Microsoft Publisher files, but Aurora Stealer uses a technique that has become more and more common in recent months: rogue Google Ads.
Both attack chains enable the execution of a Rust-based loader, which in turn modifies the browser's LNK shortcut file and uses the "--load-extension" command line switch to launch the add-on.
Rilide's precise ancestry is unknown, but Trustwave claimed to have located a threat actor's advertisement for the sale of a botnet with similar features in a hidden forum post from March 2022.
Following what seems to be an unresolved payment dispute, a portion of the malware's source code has since made its way to the forums.
The ability to swap cryptocurrency wallet addresses in the clipboard with an actor-controlled address hard-coded in the sample is one notable feature implemented in the exposed source code.
Furthermore, it has been possible to locate numerous GitHub repositories owned by a user by the name of gulantin that contain loaders for the extension thanks to a command-and-control (C2) address specified in the Rilide code.
According to Trustwave, "The Rilide stealer is a prime example of the dangers that malicious browser extensions pose and their growing sophistication.".
"While the impending implementation of manifest v3 may make it harder for threat actors to operate, it is unlikely to completely resolve the issue because most of the functionalities used by Rilide will still be available. ".
Offline