Rilide Stealer
A previously unknown malware threat named Rilide Stealer has been uncovered targeting web browsers based on the Chromium engine. The malware is designed to deceive users by disguising itself as a legitimate Google Drive extension. However, once installed, it can carry out a variety of malicious activities, including monitoring a user's browsing history, taking screenshots, and injecting harmful scripts.
The Rilide Stealer is also capable of stealing sensitive data and siphoning cryptocurrency from various crypto exchanges. Rilide is equipped with the ability to display fake prompts that trick users into entering a two-factor authentication code. As a result, the malware becomes able to withdraw digital assets from the victim's account. This makes Rilide a significant threat to anyone who uses a Chromium-based web browser. Details about Rilide Stealer and its attack campaigns were released to the public in a report by the researchers at Trustwave SpiderLabs Research.
Table of Contents
Two Different Attack Campaigns Deploy the Rilide Stealer
According to the announced findings, two separate attacks were discovered - one using Ekipa RAT while the other used Aurora Stealer to install the Rilide malware posing as a browser extension. Ekipa RAT is spread through Microsoft Publisher files that have been tampered with, while Aurora Stealer employs rogue Google Ads to distribute itself, a tactic that has grown in popularity among cybercriminals. Both attack chains enable a Rust-based loader to be executed. After being activated, it then modifies the browser's LNK shortcut file and, by using the "--load-extension" command line, launches the browser add-on.
The Rilide Stealer is Capable of Performing an Automatic Cryptocurrency Withdrawal
Rilide Stealer is equipped with an automatic withdrawal function from cryptocurrency exchanges. While this function operates in the background, the user sees a forged device authentication dialog box, which mimics a commonly used legitimate security feature, in order to obtain the 2FA (two-factor authentication) code. This code is a security measure used to confirm the user's identity and approve the withdrawal request.
Furthermore, Rilide has the ability to replace email confirmations sent by the exchange, which notify the user about the withdrawal request. If the user enters their email account using the same web browser, these confirmations are replaced on the fly. The email confirmation for the withdrawal request is instead replaced with a device authorization request, tricking the user into providing the authorization code. As a consequence, the attacker is able to ignore the security measures put in place by the exchange and steal funds from the user's account.
Cybercriminals Continue to Develop Sophisticated Threats
The Rilide stealer is an example of the increasing sophistication of malicious browser extensions. Rilide disguises itself as a legitimate Google Drive extension but is actually a tool used by threat actors to carry out a wide range of malicious activities. These activities include taking screenshots, spying on the victims' browsing history, and injecting malicious scripts to steal funds from cryptocurrency exchanges.
Be vigilant and to exercise caution when dealing with unsolicited emails or messages. To keep down the risk of falling victim to phishing attacks, it is also paramount to be informed and educated about the latest cybersecurity threats and the best practices to stop them. By keeping updated on the latest developments in cybersecurity, individuals can take proactive measures to protect their personal information and safeguard against potential attacks
