A sophisticated malware strain dubbed “Rilide” has emerged as a significant threat to Chrome and Edge browser users, operating as a deceptive browser extension designed to harvest login credentials.
Security researchers have discovered this malware in active campaigns targeting corporate and individual users across North America and Europe, with instances of credential theft already reported at several financial institutions and e-commerce platforms.
The malware leverages browser extension capabilities to seamlessly integrate with the victim’s browsing experience, making detection particularly challenging for conventional security solutions.
.png
)
Initial analysis suggests Rilide is primarily distributed through phishing emails containing links to fake browser update notifications or through compromised websites that prompt users to install what appears to be legitimate extensions.
Once installed, the extension requests extensive permissions that enable it to monitor browser activity, intercept form submissions, and establish persistence.
The malware authors have implemented sophisticated obfuscation techniques to bypass browser security checks and extension verification processes.
Pulsedive analysts identified the malware after tracking unusual data exfiltration patterns from corporate networks, noting that the extension communicated with multiple command and control servers using encrypted protocols.
.webp)
Their investigation revealed that Rilide can capture credentials from over 300 popular websites including banking portals, cloud services, and enterprise applications, making it particularly dangerous for business environments where a single compromised account could lead to lateral movement within networks.
The infection has spread rapidly since its first detection in early March, with an estimated 75,000 installations across Chrome and Edge browsers worldwide.
Security teams are particularly concerned about Rilide’s advanced evasion capabilities, which include dormancy periods to avoid detection and the ability to detect security analysis environments and alter behavior accordingly.
Infection Mechanism
Rilide’s infection process begins when the extension is installed, at which point it immediately establishes persistence by creating a background service worker that remains active even when the browser is restarted.
.webp)
The extension’s manifest.json file reveals its extensive permission requests:-
{
"name": "Browsing Assistant Pro",
"description": "Enhance your browsing experience with smart features",
"version": "2.1.4",
"manifest_version": 3,
"permissions": [
"tabs",
"storage",
"webRequest",
"webRequestBlocking",
"cookies",
""
],
"background": {
"service_worker": "background.js"
},
"content_scripts": [{
"matches": ["*://*/*"],
"js": ["content.js"],
"run_at": "document_start"
}]
}The malware’s credential theft functionality is implemented in its content script, which injects event listeners for form submissions across all websites.
When credentials are entered, the script captures the data before encryption and transmits it to the attacker’s server.
This approach circumvents even HTTPS protection since the interception occurs before data transmission.
Besides this, researchers recommended to manage extensions properly, enable PowerShell logging, and also make sure to block users from running PowerShell Commands.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
