Cybersecurity researchers have discovered a dangerous new malware called Rilide that specifically targets Chromium-based web browsers, presenting a significant threat to users’ sensitive data and cryptocurrency holdings. The malware showcases a higher level of sophistication with its modular design, code obfuscation, and adaptation to the Chrome Extension Manifest V3.
Moreover, it possesses advanced features, such as exfiltrating stolen data to a Telegram channel and capturing screenshots at regular intervals. Trustwave security researcher Pawel Knapczyk reported that the malware was first documented in April 2023 and is being sold on dark web forums by an actor known as “friezer” for a hefty price of $5,000.
Rilide is capable of deploying rogue browser extensions through two different attack chains that utilize Ekipa RAT and Aurora Stealer. These malicious extensions enable data theft and cryptocurrency pilferage, giving the threat actors control over browsing history, cookies, login credentials, and the ability to inject malicious scripts for cryptocurrency exchange fund withdrawal. The updated version of Rilide adopts the controversial Chrome Extension Manifest V3, which restricts extensions’ access to remote JavaScript code execution, resulting in a complete refactor of the malware’s core capabilities. Instead, Rilide employs inline events to execute malicious JavaScript code.
To propagate the malware, Rilide impersonates Palo Alto Networks’ GlobalProtect app, deceiving unsuspecting users into installing the malicious extension in three different campaigns. The attacks are specifically aimed at users in Australia and the U.K., and the threat actors employ vishing tactics to guide potential targets into installing the malware through bogus landing pages that host legitimate AnyDesk remote desktop software. Additionally, Rilide uses a PowerShell loader to modify the browser’s Secure Preferences file, ensuring the extension remains permanently loaded.
Further analysis of the malware’s command-and-control (C2) domain reveals connections to a larger pool of websites associated with the distribution of various other malware strains, including Bumblebee, IcedID, and Phorpiex. The potential for other threat actors to have picked up the development efforts of Rilide is also a concern, as the malware’s source code was leaked in February 2023.
This discovery highlights the pressing need for vigilant cybersecurity measures and emphasizes the importance of staying updated on the latest security patches and practices to protect against evolving threats like Rilide.