HQ/EMEAFind out how we can help your business
Researchers uncovered a new version of Rilide malware that could target Chromium-based browsers to steal sensitive information and crypto assets.
The malware developers equip the latest version with various capabilities that could enable it to turn off other browser extensions, collect browsing history, and login credentials, capture screenshots and inject malicious scripts to withdraw funds from different cryptocurrency exchanges.
The updated version also shows similarities to a malware strain called CookieGenesis. Threat actors could use both payloads as an extension to bypass the Chrome Extension Manifest V3. This feature is a controversial API change endorsed by Google that aims to curb access given to extensions.
Additionally, the improvement of the new API tool is that it would not load remote JavaScript code and run arbitrary strings for security purposes.
The Rilide malware adapted to Google’s changes and continued its operations.
Experts explained that the Rilide malware developers revamped their core capabilities by using inline events to run malicious JavaScript code.
A recent investigation showed that two Rilide samples in the wild have been impersonating a security company’s app to trick unsuspecting users into installing the malware as part of the three different cybercriminal campaigns.
One instance of the recent campaign exclusively targets users in the United Kingdom and Australia. Analysts suspect threat actors leverage fake landing pages that host legitimate Anydesk remote desktop software. They use vishing strategies to lure potential targets to install their malicious apps and utilise remote access to launch the malware.
Another meaningful change to the cybercriminal operation is using a PowerShell loader to permanently alter the browser’s Secure Preferences archive to run the app with the extension loader.
Furthermore, the researchers analysed the campaign’s command-and-control domain. Based on the registrant information, the modus operandi has a larger pool of websites, most of which serve different malware strains, such as Bumblebee, Phorpiex, and IcedID.
It is essential to consider that the source code of the Rilide extension became publicly available last February. Therefore, there is a possibility that other threat actors have acquired the source code, modified it, and used it for a separate campaign.
