HQ/EMEAFind out how we can help your business
Researchers have discovered a new malicious malware called Rilide infostealer that prioritises targeting Chromium-based browsers. This new malware strain could steal crypto assets and monitor the user’s browser behaviour.
Based on reports, the threat actors have generated a Google Drive extension that impersonates a legitimate extension to obfuscate their infostealer.
A couple of cybercriminal operations have employed the Rilide infostealer.
The first operation that adopted the Rilide infostealer involved a compromised MS Publisher file that is part of Ekipa RAT. Researchers explained that the operators of the two malicious entities are still unidentified. However, they suspect the Ekipa RAT is a vector for deploying Rilide.
The following malicious operation uses the Aurora stealer instead of the earlier-mentioned RAT. The malware developers coded Aurora in the Go language and exploited the Google Ads feature to spread the Rilide infostealer.
The threat actors deployed Rilide by impersonating legitimate NVIDIA Drivers or Team Viewer installers.
These campaigns heavily target popular web browsers like Google Chrome, Brave, Opera, and MS Edge. Once Rilide spots a Chromium-based browser, it gets a Rust loader to install an extension.
Lastly, this malware spoofs legitimate Google Drive Extensions and misuses several default features in Chrome.
On the other hand, Rilide’s cryptocurrency exchange scripts aid automatic withdrawals. The malware runs a fake device authentication dialogue while the withdrawal request operates in the background.
Once the user opens their email through the compromised browser, the malware could intercept and swap email confirmations. The campaign then alters the withdrawal request email to appear as a device authorisation prompt. This method deceives the user into sharing the authorisation code.
The emergence of Rilide infostealer is a significant development for malicious operations as it shows how the threats have evolved. The unique attribute of Rilide is that it could deceive users with phoney dialogues and acquire 2FA. The acquisition of 2FA enables the threat actors to execute automatic crypto withdrawals without the target noticing.
Users should be vigilant when accessing files from emails from unwanted and untrusted sources.
