Go to listing page

Rilide Info-stealer: A Serious Threat to Cryptocurrency Assets

Rilide Info-stealer: A Serious Threat to Cryptocurrency Assets
Trustwave SpiderLabs has exposed a fresh variant of info-stealer malware, named Rilide, that specifically aims at Chromium-based browsers. This strain is capable of stealing cryptocurrency assets and monitoring users' browsing actions. Moreover, the researchers observed that cybercriminals have developed a Google Drive extension that appears authentic but conceals Rilide.

A pair of malicious campaigns

Two malicious campaigns were found deploying Rilide. 
  • The first one involves a malicious Microsoft Publisher file that is part of Ekipa RAT.
  • While the association between the threat actors using Ekipa RAT and Rilide remains unknown, researchers suspect that the former was meant as a distribution method for the latter.
  • This brings us to the second campaign where the attackers shifted to using Aurora Stealer instead of Ekipa RAT. 
  • This Go-based malware was found exploiting Google Ads to distribute Rilide info-stealer. Aurora was deployed via campaigns mimicking legitimate Team Viewer installers or NVIDIA Drivers installers. 

Chromium-based browsers under target

  • The info-stealer targets Google Chrome, Brave, Microsoft Edge, and Opera. 
  • Once Rilide detects a Chromium-based browser, it employs a Rust loader to install an extension. This malware imitates legitimate Google Drive Extensions and misuses multiple built-in functionalities of Chrome. 
  • Additionally, the loader alters LNK shortcut files, which then launch the targeted browsers with the parameter "--load-extension" that points towards the installed Rilide extension.

Stealing and exfiltration

Rilide’s crypto exchange scripts facilitate automatic withdrawals.
  • To obtain the 2FA, the malware prompts a fake device authentication dialog while the withdrawal request occurs in the background. 
  • If the user accesses their email through the same browser, the malware can intercept and swap out email confirmations. 
  • As part of this scheme, the withdrawal request email is changed to appear as a device authorization request, which tricks the user into sharing the authorization code.

The bottom line

The discovery of Rilide info-stealer is crucial as it sheds light on an evolving trend of malicious browser extensions. While there have been instances of malware using such extensions in the past, Rilide stands out due to its ability to deceive users with fake dialogs and obtain 2FA, which enables it to carry out automatic cryptocurrency withdrawals in the background. As security experts recommend, remain vigilant when opening emails from unknown and untrusted sources.
Cyware Publisher

Publisher

Cyware