Rilide, a sophisticated malware, has been masquerading as a legitimate browser extension to steal sensitive information from users of Chromium-based browsers like Google Chrome and Microsoft Edge.
First identified in April 2023, this malware is designed to capture screenshots, log passwords, and collect credentials for cryptocurrency wallets.
It often disguises itself as a Google Drive utility, aiming to deceive users into installing it by promising to save content to Google Drive.
Delivery Mechanisms and Intrusion Chain
Rilide is primarily delivered through phishing websites and malicious advertisements.
Recent campaigns have utilized diverse tactics, including PowerPoint lures, Twitter redirects, and Google Ads, to lead users to phishing sites that download the malware.
In some cases, a PowerShell loader is used to install the extension, though the method of delivering this loader to users remains unclear.
The malware has adapted to comply with Chrome Extension Manifest V3, ensuring all its logic is contained within the extension package itself.
Once installed, Rilide injects scripts into web pages to collect credentials and cryptocurrency information.
It accesses clipboard data and system information and interacts with web storage.
The extension uses a service worker named ToggleTest.js to execute commands and take screenshots.
It also employs files like OpenRemove.js and AlertReceive.js to collect data from web pages and interact with the clipboard.
Communication and Exfiltration
Rilide communicates with its Command and Control (C2) server by querying blockchain services to resolve the server’s address.
According to the Report, this address is encoded in a Bitcoin address and is used to exfiltrate system information and other stolen data back to the C2 server via POST requests.
The malware can modify network requests and remove content security policies to facilitate its operations.
To protect against Rilide, users should avoid installing extensions from untrusted sources and regularly review installed extensions for unnecessary permissions.
Enabling PowerShell logging and restricting its usage can also help mitigate the threat.
Additionally, users should be cautious of phishing attempts and ensure their browsers are updated with the latest security patches.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free
