The malware itself has been dubbed Rilide by security researchers at Trustwave SpiderLabs who explained in a new report that it can carry out a wide range of malicious activities including monitoring browsing history, taking screenshots and stealing cryptocurrency using scripts injected into websites.
Although the Rilide malware is being spread through a fake Google Drive browser extension, the cybersecurity firm also discovered another campaign abusing Google Ads and the Aurora Stealer to load the extension using a Rust loader according to BleepingComputer.
This could indicate that its creators are using a Malware-as-a-Service business model to sell Rilide to other cybercriminals who then use it in their own attacks since Trustwave did find a post on a hacking forum in March of last year advertising a botnet with similar capabilities.
Either way, Rilide is certainly a malware strain to look out for, especially since it’s able to intercept two-factor authentication (2FA) codes and take over both email and crypto accounts.
Hijacking Chromium-based browsers
The loader used by Rilide modifies the browser shortcut files in Chrome or Edge to automate the malicious browser extension dropped onto infected systems by the malware.
From here, it runs a script that monitors when a user infected by the malware switches tabs, receives content from the web or when a web page finishes loading. At the same time, it also checks if the website a user is on matches a list of targets on a command and control (C&C) server controlled by the hackers behind the campaign.
When one of the sites is a match, the malicious extension then loads additional scripts that are injected into a web page to steal sensitive information from victims related to crypto, their email account credentials and more.
The extension dropped by Rilide can even disable a security feature called “Content Security Policy” which is used to protect against cross site scripting (XSS) attacks. This allows it to load external resources that would normally be blocked by your browser.
One thing Rilide is particularly good at is stealing cryptocurrency. It does this by using fake dialogs to trick victims into entering their temporary codes. This system is activated once a victim tries to withdraw crypto from a cryptocurrency exchange.
Surprisingly, the Rilide malware can also replace email confirmations in a victim’s inbox if they access their email using the same browser which people often do.
How to stay safe from malicious browser extensions
In its report on the matter, Trustwave SpiderLabs points out that when Google begins enforcing Manifest V3 that it might make it more difficult for hackers to use malicious extensions in their attacks. However, it won’t solve the issue entirely since “most of the functionalities leveraged by Rilide will still be available”.
When it comes to protecting yourself from malicious browser extensions, the best antivirus software can help prevent you from becoming infected with malware or having your data stolen. Likewise, the best identity theft protection services can help you regain lost funds stolen by hackers and restore your identity if it’s stolen.
When installing new browser extensions, you want to only use trusted sources like the Chrome Web Store or the Microsoft Edge Add-ons store. It’s also worth limiting the number of extensions you have installed in your browser in the same way that you want to avoid installing unnecessary apps on your smartphone.
Given the complexity of the Rilide malware and the malicious browser extension it uses, this likely isn’t the last time we’ll hear about it being used by hackers in their attacks.