Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,494
- Points
- 113
Hackers launched several large-scale malicious campaigns at once with sophisticated social engineering methods.
Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and cryptocurrencies.
The Rilide stealer was first documented by Trustwave in April of this year. When first discovered, Rilide posed as legitimate extensions to Google Drive, but was capable of stealing a range of sensitive user information.
The malware is being sold on shady forums by a hacker named "friezer" for $5,000. According to the researchers, Rilide demonstrates a high level of sophistication thanks to its modular architecture, code obfuscation, and support for the Chrome Extension Manifest V3.
The malware has a wide range of features that allow it to disable other browser extensions, collect history and cookies, steal credentials, take screenshots, and even inject malicious scripts to steal funds from various crypto exchanges.
The updated version also switched to using the Chrome Extension Manifest V3, a controversial API introduced by Google to restrict extension access. “From a security point of view, one of the key innovations is the ban on loading remote JavaScript code for extensions and executing arbitrary strings,” the researchers explain. However, this did not stop the developers of Rilide, and they completely rewrote the main features of the malware using built-in events to run malicious JavaScript code.
One of the malware campaigns identified targeted several banks, payment service providers, email services, crypto exchange platforms, VPNs and cloud service providers using deployment scenarios, primarily targeting users in Australia and the United Kingdom.
Analysts have identified more than 1,500 phishing pages using misspelled domains, promoted through SEO poisoning on trusted search engines, and posing as banks and service providers to trick victims into entering their credentials in phishing forms.
In another case, users are infected through phishing emails purporting to advertise VPN or firewall applications, such as the GlobalProtect application from Palo Alto Networks.
During this campaign, Trustwave uncovered a PowerPoint presentation intended for ZenDesk employees that cleverly masquerades as an official security advisory by encouraging users to install the extension.
This presentation includes slides warning that attackers are impersonating GlobalProtect to distribute malware and provides instructions for employees to follow to install the correct software.
However, this is actually a social engineering ploy to trick the target user into installing the malicious Rilide extension instead.
Finally, Trustwave has discovered a campaign launched on Twitter that leads victims to phishing sites for fake games on the P2E (play to earn) blockchain. However, the installers on these sites instead install the Rilide extension, which allows attackers to steal victims' cryptocurrency wallets.
Chains of infection for three Rilide malware campaigns
Trustwave promises to continue to monitor the situation and keep the public informed of new findings in a timely manner. Experts advise users to be careful when installing unverified browser extensions, use strong passwords and two-factor authentication, and install antivirus to protect against such threats.
Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and cryptocurrencies.
The Rilide stealer was first documented by Trustwave in April of this year. When first discovered, Rilide posed as legitimate extensions to Google Drive, but was capable of stealing a range of sensitive user information.
The malware is being sold on shady forums by a hacker named "friezer" for $5,000. According to the researchers, Rilide demonstrates a high level of sophistication thanks to its modular architecture, code obfuscation, and support for the Chrome Extension Manifest V3.
The malware has a wide range of features that allow it to disable other browser extensions, collect history and cookies, steal credentials, take screenshots, and even inject malicious scripts to steal funds from various crypto exchanges.
The updated version also switched to using the Chrome Extension Manifest V3, a controversial API introduced by Google to restrict extension access. “From a security point of view, one of the key innovations is the ban on loading remote JavaScript code for extensions and executing arbitrary strings,” the researchers explain. However, this did not stop the developers of Rilide, and they completely rewrote the main features of the malware using built-in events to run malicious JavaScript code.
One of the malware campaigns identified targeted several banks, payment service providers, email services, crypto exchange platforms, VPNs and cloud service providers using deployment scenarios, primarily targeting users in Australia and the United Kingdom.
Analysts have identified more than 1,500 phishing pages using misspelled domains, promoted through SEO poisoning on trusted search engines, and posing as banks and service providers to trick victims into entering their credentials in phishing forms.
In another case, users are infected through phishing emails purporting to advertise VPN or firewall applications, such as the GlobalProtect application from Palo Alto Networks.
During this campaign, Trustwave uncovered a PowerPoint presentation intended for ZenDesk employees that cleverly masquerades as an official security advisory by encouraging users to install the extension.
This presentation includes slides warning that attackers are impersonating GlobalProtect to distribute malware and provides instructions for employees to follow to install the correct software.
However, this is actually a social engineering ploy to trick the target user into installing the malicious Rilide extension instead.
Finally, Trustwave has discovered a campaign launched on Twitter that leads victims to phishing sites for fake games on the P2E (play to earn) blockchain. However, the installers on these sites instead install the Rilide extension, which allows attackers to steal victims' cryptocurrency wallets.
Chains of infection for three Rilide malware campaigns
Trustwave promises to continue to monitor the situation and keep the public informed of new findings in a timely manner. Experts advise users to be careful when installing unverified browser extensions, use strong passwords and two-factor authentication, and install antivirus to protect against such threats.
