New Campaigns Target Cryptocurrency and Enterprises


The Rilide Stealer Chrome browser extension

The Rilide Stealer Chrome browser extension, initially discovered in April 2023, has resurfaced in new campaigns targeting both cryptocurrency users and enterprise employees. This malicious tool has evolved from posing as legitimate Google Drive extensions to navigating Google's extension specifications, allowing it to steal credentials, crypto wallets, and even target banking accounts.

Employing Telegram and GitHub repositories, Rilide uses malicious configurations to execute actions like capturing screenshots and sending stolen data to a central server. Multiple campaigns involve tactics like phishing through typosquatting domains, impersonating reputable entities like Palo Alto, and directing victims to bogus blockchain games on Twitter.

Despite Google's efforts with Manifest V3, Rilide has adapted, making it difficult to trace its campaigns. The malware's affordability and leaked source code have made it popular among hackers, indicating its lasting impact on the cybersecurity landscape.

A new variant of the Rilide stealer malware has emerged, focusing on enterprise employees and cryptocurrency wallets. This version successfully bypasses the restrictions of the Chromium browser's manifest V3. Trustwave SpiderLabs discovered Rilide, a malicious browser extension, in April 2023.

This advanced iteration not only targets credentials but also banking accounts in Australia and the UK. It utilizes Telegram for data exfiltration and captures screenshots periodically. The malware's capabilities encompass enabling/disabling browser extensions, capturing history, stealing credentials, injecting malicious scripts for cryptocurrency theft, and integrating with the CursedChrome tool.

Threat actors employed Twitter campaigns with fake Play to Earn blockchain games to distribute Rilide and Redline stealers. Trustwave SpiderLabs provided an extensive report outlining attack vectors, source code, and mitigation tactics for Rilide, along with indicators of compromise to assist security teams.