Researchers discovered a new malware dubbed as Rilide that fakes legitimate Google Drive extensions to inject malicious scripts and steal cryptocurrency.
The malware targets Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Opera.
Rilide uses malicious browser extensions. It has a standout capability to simulate dialogs. Using forged dialogs, the malware lures users to disclose their 2FA. Then, it will steal their cryptocurrencies.
Snatching cryptocurrency is not the only superpower the new malware has. Hackers can also use Rilide for spying activities, like monitoring browsing history and taking screenshots.
Researchers found part of the new malware`s source code was leaked on underground forums. One standout features implemented in the leaked source code is the malware`s ability to swap cryptocurrency wallet addresses by using an actor-controlled address hard-coded in the sample.
A C2 address specified in the Rilide code has made it possible to identify various GitHub repositories belonging to a user named gulantin that contains loaders for the extension. GitHub has taken down the account in question.
Researchers discovered two malicious campaigns that aim to install the Rilide extension: Ekipa RAT and Aurora Stealer. Both attack chains use the execution of a Rust-based loader. The loader changes the browsers’ LNK shortcut file and employs the “–load-extension” command line switch to launch the add-on.
Ekipa RAT Method
One of the Rilide samples is spread through a malicious Microsoft Publisher file. It is part of Ekipa RAT, a Remote Access Trojan (RAT).
Aurora Stealer Method
The malware is spread through forged Google Ads. This seems to be lately one of the hackers` favorite ways of working and first discovered as a Malware-as-a-Service on Russian-speaking underground forums last year.
Indicators of Compromise