Researchers have discovered a new Rilide Stealer malware extension variant that targets popular Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera while adapting to the Manifest V3 security.
This sophisticated malware employs creative techniques to bypass Google’s Chrome Extension Manifest V3, aimed at blocking the installation of malicious extensions, reported Trustwave SpiderLabs, a cybersecurity firm.
“As does its predecessor, the new Rilide stealer enables threat actors to carry out a broad spectrum of malicious activities, including enabling or disabling other browser extensions, retrieving browsing history and cookies, stealing login credentials, taking on-demand screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges,” said the new Trustwave report on the malware.
The upgraded Rilide Stealer exhibits a higher level of sophistication, boasting modular design, code obfuscation, adaption to Chrome’s Manifest V3, and additional features, including the ability to exfiltrate stolen data to a Telegram channel and interval-based screenshot capture.
Trustwave SpiderLabs has identified multiple campaigns leveraging the new version of Rilide Stealer including incorporating targeting, fake P2E games, and banking data theft, among others. Additionally, the investigation found associations with malware like BumbleBee, IceID, and Phorpiex.
The first campaign appears to target corporate users through a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin. The second campaign advertises fake Play To Earn (P2E) games using Twitter. Beta installers were found dropping both Rilide and Redline Stealer.
The third campaign focuses on the banking data of users in Australia and the UK. The attackers use a unique method to load extensions and employ AngelDrainer scripts to steal cryptocurrencies from unsuspecting users’ wallets.
To adapt to Chrome’s Manifest V3, Rilide developers had to refactor the malware’s core capabilities. The new version introduces a ‘screenshot_rules’ command, enabling attackers to capture sensitive data during online transactions, such as credit card details. Additionally, stolen data can now be exfiltered to a Telegram channel.
Developers further obfuscated the code to evade detection and applied custom strings obfuscation algorithms, making analysis more challenging. Using RC4 encryption adds another layer of complexity to the obfuscated code.
The threat actor ‘friezer’ has been selling the Rilide extension and control panel on underground forums. The leaked source code of the extension and control panel led to speculation that other threat actors may have picked up the development of this malware family.
In response to the emergence of the new version of Rilide Stealer, the cybersecurity community has developed a new framework called Permhash. This hash-based technique assists in hunting, clustering, and pivoting on malicious APKs and browser extensions, allowing for more effective detection and analysis.