Hackers use Rilide browser extension to bypass 2FA, steal crypto

Hackers use Rilide browser extension to bypass 2FA, steal crypto

Security researchers discovered a new malicious browser extension called Rilide, that targets Chromium-based products like Google Chrome, Brave, Opera, and Microsoft Edge.

The malware is designed to monitor browser activity, take screenshots, and steal cryptocurrency through scripts injected in web pages.

Researchers at Trustwave SpiderLabs found that Rilide mimicked benign Google Drive extensions to hide in plain sight while abusing built-in Chrome functionalities.

The cybersecurity company detected two separate campaigns that distributed Rilide. One was using Google Ads and Aurora Stealer to load the extension using a Rust loader. The other one distributed the malicious extension using the Ekipa remote access trojan (RAT).

Two campaigns pushing Rilide
Two campaigns pushing Rilide (Trustwave)

While the origin of the malware is unknown, Trustwave reports that it has overlaps with similar extensions sold to cybercriminals. At the same time, portions of its code were recently leaked on an underground forum due to a dispute between cybercriminals over unresolved payment.

A parasite in the browser

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system.

Malicious extension on Edge
Malicious extension on Edge (Trustwave)

Upon execution, the malware runs a script to attach a listener that monitor when the victim switches tabs, receives web content, or webpages finish loading. It also checks if the current site matches a list of targets available from the command and control (C2) server.

If there’s a match, the extension loads additional scripts injected into the webpage to steal from the victim information related to cryptocurrencies, email account credentials, etc.

The extension also disables ‘Content Security Policy,’ a security feature designed to protect against cross-site scripting (XSS) attacks, to freely load external resources that the browser would normally block.

In addition to the above, the extension regularly exfiltrates browsing history and can also capture screenshots and send them to the C2.

Capabilities graph
Rilide’s capabilities graph (Trustwave)

Bypassing two-factor authentication

An interesting feature in Rilide is its 2FA-bypassing system, which uses forged dialogs to deceive victims into entering their temporary codes.

The system is activated when the victim initiates a cryptocurrency withdrawal request to an exchange service that Rilide targets. The malware jumps in at the right moment to inject the script in the background and process the request automatically.

Once the user enters their code on the fake dialog, Rilide uses it to complete the withdrawal process to the threat actor’s wallet address.

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser,” explains Turstwave in the report.

“The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”

Replacing the email while extracting the 2FA code
Replacing the legitimate email (right) while extracting the 2FA code (Trustwave)

Rilide showcases the growing sophistication of malicious browser extensions that now come with live monitoring and automated money-stealing systems.

While the roll-out of Manifest v3 on all Chromium-based browsers will improve resistance against malicious extensions, Trustwave comments that it won’t eliminate the problem.

Original Source

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

 To keep up to date follow us on the below channels.