Skip to content

New Rilide Stealer targets Chromium browsers; Evades security

  • by
  • 4 min read

Researchers have discovered a new Rilide Stealer malware extension variant that targets popular Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera while adapting to the Manifest V3 security.

This sophisticated malware employs creative techniques to bypass Google’s Chrome Extension Manifest V3, aimed at blocking the installation of malicious extensions, reported Trustwave SpiderLabs, a cybersecurity firm.

Rilide’s functionalities to bypass Manifest V3 security. | Source: Trustwave

“As does its predecessor, the new Rilide stealer enables threat actors to carry out a broad spectrum of malicious activities, including enabling or disabling other browser extensions, retrieving browsing history and cookies, stealing login credentials, taking on-demand screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges,” said the new Trustwave report on the malware.

The upgraded Rilide Stealer exhibits a higher level of sophistication, boasting modular design, code obfuscation, adaption to Chrome’s Manifest V3, and additional features, including the ability to exfiltrate stolen data to a Telegram channel and interval-based screenshot capture.

Trustwave SpiderLabs has identified multiple campaigns leveraging the new version of Rilide Stealer including incorporating targeting, fake P2E games, and banking data theft, among others. Additionally, the investigation found associations with malware like BumbleBee, IceID, and Phorpiex.

The first campaign appears to target corporate users through a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin. The second campaign advertises fake Play To Earn (P2E) games using Twitter. Beta installers were found dropping both Rilide and Redline Stealer.

The third campaign focuses on the banking data of users in Australia and the UK. The attackers use a unique method to load extensions and employ AngelDrainer scripts to steal cryptocurrencies from unsuspecting users’ wallets.

Rilide Stealer’s campaign discovered in the wild. | Source: Trustwave

To adapt to Chrome’s Manifest V3, Rilide developers had to refactor the malware’s core capabilities. The new version introduces a ‘screenshot_rules’ command, enabling attackers to capture sensitive data during online transactions, such as credit card details. Additionally, stolen data can now be exfiltered to a Telegram channel.

Manifest V3’s security improvements restrict extensions from loading remote JavaScript code or executing arbitrary strings, making Rilide’s previous injection approach ineffective. However, threat actors used publicly disclosed techniques, leveraging inline events and Declarative Net Requests rules, to execute malicious JavaScript code.

Developers further obfuscated the code to evade detection and applied custom strings obfuscation algorithms, making analysis more challenging. Using RC4 encryption adds another layer of complexity to the obfuscated code.

Code obfuscation by Rilide Stealer. | Source: Trustwave

The threat actor ‘friezer’ has been selling the Rilide extension and control panel on underground forums. The leaked source code of the extension and control panel led to speculation that other threat actors may have picked up the development of this malware family.

In response to the emergence of the new version of Rilide Stealer, the cybersecurity community has developed a new framework called Permhash. This hash-based technique assists in hunting, clustering, and pivoting on malicious APKs and browser extensions, allowing for more effective detection and analysis.

In the News: Mysterious Team Bangladesh carried out 750 DDoS attacks in India


Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: [email protected]