Rilide Stealer Targets the Chromium Platform

A new malware known as Rilide has been discovered, which targets Chromium-based web browsers.

This malware disguises itself as a legitimate Google Drive extension to gather sensitive information and siphon cryptocurrency. Trustwave SpiderLabs Research revealed that Rilide enables malicious actors to carry out several harmful activities such as taking screenshots, monitoring browsing history, and injecting harmful scripts to withdraw funds from various cryptocurrency exchanges. This stealer malware can also deceive users by displaying fake dialogs to extract a two-factor authentication code to withdraw digital assets.

Two campaigns, Ekipa RAT and Aurora Stealer, were identified by Trustwave as being responsible for installing the malicious browser extension. Ekipa RAT is spread via booby-trapped Microsoft Publisher files, while Aurora Stealer is delivered through rogue Google Ads. Both attacks use a Rust-based loader to modify the browser's LNK shortcut file and launch the add-on using the "--load-extension" command line switch. The exact origins of Rilide remain unknown, but an underground forum post advertising the sale of a botnet with similar functionalities was discovered by Trustwave in March 2022.

Some of the malware's source code has been leaked on forums, revealing the ability to swap cryptocurrency wallet addresses in the clipboard with an actor-controlled address hard-coded in the sample.

What Are Crypto and Infostealers?

Cryptostealers and infostealers are types of malware designed to steal information from victims' devices.

A cryptostealer, as the name suggests, is a type of malware that focuses on stealing cryptocurrency. These malicious programs can steal the victim's cryptocurrency wallet credentials or private keys, allowing the attacker to gain access to the victim's funds. Cryptostealers can also monitor the victim's clipboard to replace cryptocurrency wallet addresses with the attacker's own address, diverting funds to the attacker's wallet instead.

Infostealers, on the other hand, are malware designed to steal a wide range of sensitive information from the victim's device. They can capture login credentials, personal information, banking details, and other sensitive data. Infostealers can also capture screenshots and record keystrokes, allowing the attacker to monitor the victim's activities and steal any sensitive data they enter.

Both cryptostealers and infostealers can be distributed through phishing emails, malicious downloads, or by exploiting vulnerabilities in software. It's important to use anti-malware software, keep software up-to-date, and avoid clicking on suspicious links or downloading attachments from unknown sources to protect against these threats.