Rilide Stealer Evolves to Target Chrome Extension Manifest V3

Campaigns identified in the wild

• Trustwave researchers identified over 1,300 phishing websites distributing the new version of Rilide Stealer along with other harmful malware such as Bumblebee, IcedID, and Phorpiex. 
• These websites impersonated various entities, including banks, government services, software companies, delivery services, and crypto token airdrops.  

What campaigns look like?

• In one campaign, attackers leveraged a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin to target corporate users.
• Another campaign contained a fake P2E games installer advertised on Twitter that was used to drop Rilide and Redline Stealer.
• A third campaign focused on banking users in Australia and the U.K, stealing cryptocurrencies from wallets by employing AngelDrainer scripts.

Malware updates

• While it shares similarities with its predecessor discovered in April, the latest Rilide version exhibits a higher level of sophistication through code obfuscation and adaptation to the Chrome Extension Manifest V3.
• It includes a new command called ‘screenshot_rules,’ letting attackers capture active tab screenshots at regular intervals. 
• Another feature of the variant is the ability to exfiltrate stolen data such as credit card details to a Telegram channel.

Conclusion