Corrected Article Text:
Trustwave SpiderLabs specialists recently discussed the new Rilide malware, which steals confidential data and cryptocurrency, targeting Chromium-based browsers. The malware masquerades as a legitimate Google Drive extension and allows attackers to perform a wide range of malicious activities, including monitoring browser history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges. Additionally, the malware can display fake dialog boxes to force users to enter a two-factor authentication code to confirm the transfer of digital assets.
Analysts identified two different campaigns involving Ekipa RAT and Aurora Stealer, which led to the installation of a malicious extension. Ekipa RAT is distributed through malicious Microsoft Publisher files, while Aurora Stealer is mainly distributed through fraudulent ads in Google Ads. Both chains of attacks lead to the execution of the Rust loader, which in turn modifies the browser LNK file and uses –load-extension to launch the extension.
The source of the attacks is still unknown, but experts discovered a post on a hacker forum from March 2022. The post advertised the sale of a botnet with similar functions, and since then, part of the source code of the malware has been released to the public due to an unresolved dispute over payment.
The report also notes that the C&C address provided in the Rilide code identified GitHub repositories owned by a user with gulantin that contain loaders for the malicious extension. Google’s upcoming move to Manifest v3, which defines the capabilities and limits for extensions, could make it harder for attackers to work, but it’s unlikely to completely solve the problem since most of the functionality used by Rilide will still work. Recently, the transition to Manifest V3, which was planned to begin in January 2023, was again postponed. Google developers do not give exact terms at this time, but they promise that extension creators will have enough time to migrate – at least six months.