The Chromium-based threat was uncovered by Trustwave SpiderLabs.
Rilide, a new strain of malware, is in active use.
A new strain of Chromium-based browser malware, “Rilide,” has been uncovered by Trustwave SpiderLabs. In a 4 April blog post SpiderLabs wrote “Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.”
Rilide has a history in at least two criminal campaigns.
Rilide has been found by SpiderLabs in at least two malware campaigns since April of 2022. The first was involved with the Epikia RAT (remote access Trojan), malware that used Microsoft Publisher and relied on the user ignoring a warning pop-up and executing a macro. Spiderlabs notes ”Microsoft Publisher was not affected by Microsoft's decision to block macros from executing files downloaded from the Internet.” The second seems to be using Google Ads, disguising itself as legitimate Team Viewer installers or an NVIDIA Drivers installer. This activity has been reported by Cyble, @IZRR4H, and @malwrhunterteam as well as SpiderLabs.
Malware that automates cryptocurrency withdrawals.
SpiderLabs explains that Rilide features an automatic cryptocurrency withdrawal feature that works as follows:
- A withdrawal request is made in the background.
- Rilide forges a device authentication dialog with the user enabling it to obtain two factor authentication (2FA).
- It switches out withdrawal request emails with device authorization emails to mask the withdrawals and trick the user into giving the malware their authorization codes.
SpiderLabs concludes, “The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose…upcoming enforcement of manifest v3 (the new google API that governs how Chrome extensions interact with the browser) is unlikely to solve the issue entirely as most of the functionalities leveraged by Rilide will still be available.” The researchers recommend vigilance and skepticism with respect to unsolicited communications and Internet content generally.