Chromium-based web browsers are the target of a new malware called He laughswhich masquerades as a seemingly legitimate extension to steal sensitive user data and steal cryptocurrencies (a virtual theft).

Rilide: what is known about this malware

“Rilide malware hides behind a legitimate Google Drive extension and allows threat actors to perform a wide range of malicious activities, including monitoring browsing history, taking screenshots [gli screenshots] and the injection of malicious scripts to withdraw [rubare] funds from different cryptocurrency exchanges“, has declared Trustwave SpiderLabs Research in its report.

Also, the malware in question can do display fake dialogs to trick users and have them enter a two-factor authentication code to withdraw digital assets.

Trustwave has identified two different campaigns involving Ekipa RAT And Aurora Stealerwhich led to the installation of the malicious browser extension.

While Ekipa RAT is distributed via trap files posing as Microsoft Publisher, fraudulent Google ads act as a delivery vector for Aurora Stealer (advertising theft: a technique that has become increasingly common in the last months).

Both attack chains facilitate the execution of a loader based on Rust which, in turn, modifies the browser’s LNK shortcut file (file extension) and makes use of the “–load-extension” command line switch to launch the add-on.

It is not known where Rilide came from, nor who created it, however Trustwave said it was able to find a post on an underground forum made in March 2022 by a cybercriminal advertising the sale of a botnet with similar functionality.

Some of the malware’s source code ended up on forums following what appears to be an unresolved payment dispute.

One notable feature implemented in the leaked source code is the ability to replace cryptocurrency wallet addresses in the clipboard with an actor-controlled address hardcoded into the sample.

Also, an address of command-and-control (C2) specified in Rilide’s code made it possible to identify various GitHub repositories belonging to a user named gulantin which contain the loaders for the extension; however, it should be noted that GitHub has removed the account in question.

“Rilide malware is a prime example of the growing sophistication of malicious browser extensions and the dangers they pose“concluded Trustwave.

“While the upcoming application of the v3 manifest may make it more difficult for malicious actors to operate, it is unlikely to completely resolve the issue as most of the features exploited by Rilide will still be available“.

How to defend yourself if Rilide should happen on your device?

Here are some tips to defend against the threat of Rilide malware: