The Rilide Stealer Chrome browser extension, initially
discovered in April 2023, has resurfaced in new campaigns targeting both
cryptocurrency users and enterprise employees. This malicious tool has evolved
from posing as legitimate Google Drive extensions to navigating Google's
extension specifications, allowing it to steal credentials, crypto wallets, and
even target banking accounts.
Employing Telegram
and GitHub repositories, Rilide uses malicious configurations to execute
actions like capturing screenshots and sending stolen data to a central server.
Multiple campaigns involve tactics like phishing through typosquatting domains,
impersonating reputable entities like Palo Alto, and directing victims to bogus
blockchain games on Twitter.
Despite Google's efforts with Manifest V3, Rilide has
adapted, making it difficult to trace its campaigns. The malware's
affordability and leaked source code have made it popular among hackers,
indicating its lasting impact on the cybersecurity landscape.
A new variant of the Rilide stealer malware has emerged,
focusing on enterprise employees and cryptocurrency wallets. This version
successfully bypasses the restrictions of the Chromium browser's manifest V3.
Trustwave SpiderLabs discovered Rilide, a malicious browser extension, in April
2023.
This advanced iteration not only targets credentials but
also banking accounts in Australia and the UK. It utilizes Telegram for data
exfiltration and captures screenshots periodically. The malware's capabilities
encompass enabling/disabling browser extensions, capturing history, stealing
credentials, injecting malicious scripts for cryptocurrency theft, and
integrating with the CursedChrome tool.
Threat actors employed Twitter campaigns with fake Play to
Earn blockchain games to distribute Rilide and Redline stealers. Trustwave
SpiderLabs provided an extensive report outlining attack vectors, source code,
and mitigation tactics for Rilide, along with indicators of compromise to
assist security teams.
0 Comments