New Rilide Stealer into the limelight

Researchers have spotted a new version of Rilide Stealer that has been discovered, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera to steal sensitive data and cryptocurrency

The updated version shares similarities with malware tracked as CookieGenesis. The new version of Rilide Stealer along with other harmful malware such as Bumblebee, IcedID, and Phorpiex. 

They were distributed via1300 phishing websites. These websites impersonated various entities, including banks, government services, software companies, delivery services, and crypto token airdrops.  

In one campaign, attackers leveraged a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin to target corporate users.

The second campaign contained a fake P2E games installer advertised on Twitter that was used to drop Rilide and Redline Stealer.

A third campaign focused on banking users in Australia and the U.K, stealing cryptocurrencies from wallets by employing AngelDrainer scripts.

The latest version shares similarities with its  predecessor discovered during earlier this year. The latest Rilide version exhibits a higher level of sophistication through code obfuscation and adaptation to the Chrome Extension Manifest V3.

It includes a new command called ‘screenshot_rules,’ letting attackers capture active tab screenshots at regular intervals.  Also, it has the ability to exfiltrate stolen data such as credit card details to a Telegram channel.

It’s worth noting that the source code of the Rilide extension was leaked in February, raising the possibility that threat actors other than the original group are picking up the development efforts.

The research was documented by researchers from TrustWave

Indicators of Compromise

• frz-panel[.]su
• lsadksajpenal[.]su
• edd2ed2[.]online
• proyectopatentadomxapostol[.]com
• assets[.]bnbcoinstatic[.]com
• tes123123t[.]com
• web-lox[.]com
• pupkalazalupka[.]com
• extension-login[.]com
• io-web[.]cc
• ext-panel[.]website
• extensionsupdate[.]com
• blackfox[.]lol
• silent-scale[.]com
• getvoyagebox[.]org
• https://download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/Riot Revelry 1.0.2.exeFake P2E games installers
• https://download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/Night Predators 1.0.2.exe
• nightpredators[.]com
• riotrevelry[.]com
• 8caaafe787c9e3d59486ec129b4259764641999b0f1de6b5b46d3773e96442c8
• 3aa913da9591d998a229acec529eb58b1fea14b403b92f56dde47a8425739473
• 6e9c56301605aeeb0efcbbfbf10008dba7a8b99963f02256d1b28fbc30df7907