Cybersecurity researchers from Trustwave Spiderlabs have discovered an updated version of the infamous Rilide Stealer, a malicious Google Chrome extension capable of stealing people’s credentials, bank accounts, and cryptocurrencies stored in wallet add-ons.
The extension works on Chromium-based browsers, including Chrome, Edge, Brave, and Opera. While malicious extensions are nothing new, the distribution method for this particular version is somewhat original.
According to the researchers’ report, the threat actors distributed phishing emails, impersonated VPN products, and firewall service providers, such as Palo Alto’s GlobalProtect app. In the emails, they alerted recipients to a cyberthreat lurking in the wild and provided guidance through a PowerPoint presentation on how to install the legitimate extension to ensure the security of their endpoints. However, the links in the PP presentation lead directly to the malware.
Bypass Chrome Extension Manifest V3
If victims fall into the trap and install Rilide, the malware targets multiple banks, payment providers, email service providers, cryptocurrency exchange platforms, VPNs and cloud service providers, BleepingComputer reports. The malware works by using injection scripts and mainly targets targets residing in Australia and the United Kingdom.
The new version of the malware is also interesting because it successfully bypasses Chrome Extension Manifest V3 – Google’s newly introduced extension restrictions that were supposed to protect users from malicious add-ons.
The stolen data is then exfiltrated to a Telegram channel or delivered via screenshots to a predetermined C2 server.
The researchers are not sure who is behind this campaign, as Rilide is a commodity malware sold on hacker forums and most likely used in various campaigns. In this particular case, the attackers generated over 1,500 phishing pages (with typosquatted domains) and promoted them via SEO poisoning on trusted search engines. They also pretended to be banks and service providers to get victims to type in their credentials.
Twitter is also being misused for the campaign, luring people to phishing websites for fraudulent play-to-earn blockchain games.
Through Beeping computer