Rilide stealer Malware

As per reports, a new version of the Rilide stealer is known to be stealing credentials from enterprise employees and crypto wallets. This new version is capable of bypassing the new Chromium browser manifest v3.

Rilide is a malicious browser extension that was discovered in April 2023 by Trustwave SpiderLabs. The currently discovered version is not affected by the Google Chrome Extensions manifest V3, which restricts in-line Javascript code execution.

In addition, the Rilide malware extension targets banking accounts in Australia and the United Kingdom. It also captures screenshots at regular intervals and exfiltrates the stolen data into a Telegram channel.

Rilide Malware Setal Credentials

The new Rilide version is capable of doing a wide range of activities like enabling or disabling other browser extensions, retrieving browser history and cookies, stealing login credentials, on-demand screenshots, and malicious script injection for stealing money from cryptocurrency exchanges.

Moreover, this current version is added with code obfuscation and imitated as a Palo Alto GlobalProtect VPN extension on Chrome Web Store which is configured to communicate with the C2 domain edd2ed2[.]online.

Additionally, the Rilide extension is now equipped with a CursedChrome tool integration, allowing threat actors to browse the web authenticated as the victim who has installed this extension.

CursedChrome Admin panel (Source: Trustwave SpiderLabs)

Furthermore, threat actors conducted Twitter campaigns using Fake P2E (Play to Earn) in which players can collect NFTs (Non-Fungible Tokens) and sell them for real money. Users are asked to share their Twitter handle and SOL wallets to earn rewards.

Twitter campaign (Source: Trustwave)

Threat actors created dedicated discord servers and dedicated websites for this campaign. These games are used to drop the Rilide and Redline stealer onto victims. Several scripts were found to be in development during the investigation.

However, a complete report has been published by Trustwave SpiderLabs, which provides detailed information on the attack vector, source code, and stealing methods of the Rilide extension.

A list of indicators of compromise has also been released by Trustwave, which can be used by security personnel to protect against threat actors.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.