Rilide: extension that steals cryptocurrencies

Security Malware and Virus Antivirus

Rilide è un'estensione fasulla di Google Drive per i browser basati su Chromium che può rubare le criptovalute, intercettando anche il codice 2FA.

 Bing Image Creator

Trustwave researchers have discovered a Chromium-based browser extension that accesses history, takes screenshots, and steals cryptocurrencies using scripts injected into web pages. Rilide is distributed through two separate campaigns and disguised as an add-on for Google Drive. Fortunately, malware is detected and blocked by most antivirus programs.

Protect all devices with Avast Premium Security

Rilide bypasses two-factor authentication

Trustwave experts have identified two ways to deploy Rilide. The first uses a publisher file, inside which there is a macro that downloads the Ekipa RAT and then the Rilide loader. The second uses the Aurora info-stealer (available on infected sites advertised with Google Ads) to download the malware.

The loader loads the fake extension in Chromium-based browsers (Chrome, Edge, Brave, and Opera). Rilide performs an XSS attack and loads external resources. A script running in the background then fetches a list of domains from the C2 server (command and control). If the user visits one of the domains, the malware injects into the web pages the code that allows them to steal credentials and cryptocurrencies.

When the unsuspecting victim withdraws cryptocurrencies, Rilide intercepts the authentication code request in two factors, which is then used by cybercriminals to complete the transaction. Cryptocurrencies obviously end up in the wrong wallet.

Trustwave says the next Manifest v3 for extensions should limit the risks, but similar security issues will not be completely eliminated.

This article contains affiliate links: purchases or orders made through such links will allow our site to receive a commission. Offers may be subject to price changes after publication.

Secure your devices: discover all offers  .

Source: Trustwave

One thought on “Rilide: extension that steals cryptocurrencies

Leave a Reply

Your email address will not be published. Required fields are marked *