Hackers Exploit the Rilide Browser Extension to Bypass 2FA and Steal Cryptocurrency

Rilide is a new malicious browser extension found by security experts that targets Chromium-based products such as Google Chrome, Brave, Opera, and Microsoft Edge. The spyware is designed to track browser behavior, capture screenshots, and steal cryptocurrency using scripts embedded in web pages.

Trustwave SpiderLabs discovered that Rilide imitated legitimate Google Drive extensions to remain hidden while abusing built-in Chrome functionality.

The cybersecurity firm discovered two distinct campaigns that delivered Rilide. One approach was utilizing Google Ads and Aurora Stealer to load the extension using a Rust loader. The other used the Ekipa remote access trojan to spread the malicious extension (RAT).

Two campaigns pushing Rilide (Trustwave)

While the malware's origin is unknown, Trustwave believes that it shares similarities with similar extensions offered to hackers. Simultaneously, sections of its code were recently released on an underground forum as a result of a dispute between cybercriminals about unresolved payment.

A virus in the browser:

Rilide's loader modifies web browser shortcut files in order to automate the execution of the malicious extension that has been installed on the infected machine. When the virus is executed, a script is executed to attach a listener that monitors when the victim switches tabs, receives web content, or webpages finish loading.

Malicious extension on Edge (Trustwave)

It also determines whether the current site matches a list of targets provided by the command and control (C2) server. If there is a match, the extension runs further scripts inserted into the webpage to steal information linked to cryptocurrency, email account credentials, and so on from the victim. In addition to these, the addon periodically exfiltrates browsing history and can take and send screenshots to the C2. 

The extension also disables 'Content Security Policy,' a security feature designed to protect against cross-site scripting (XSS) attacks, allowing the browser to freely load external resources that would otherwise be blocked.

Rilide's capabilities graph (Trustwave)

Bypassing two-factor authentication:

Rilide's 2FA bypassing technique, which employs falsified dialogues to trick victims into inputting their temporary codes, is an intriguing feature. When a victim begins a cryptocurrency withdrawal request to a Rilide-targeted exchange provider, the mechanism is enabled. The malware enters at the right time to inject the script in the background and automatically execute the request.

Rilide uses the user's code on the false dialogue to complete the withdrawal transaction to the threat actor's wallet address. Trustwave explains in the report that "email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser. Instead of the withdrawal request email, a device authorization request is sent, tricking the user into providing the authorization code."

Replacing the legitimate email (right) while retrieving the 2FA code (Trustwave)

Rilide shows how rogue browser extensions are becoming more sophisticated, with live surveillance and automatic money-stealing systems.

While the implementation of Manifest v3 on all Chromium-based browsers will increase resistance to malicious extensions, Trustwave notes that it will not solve the problem.

# Cyber Security # Information Security # Infosec news # latest cyber security news # Chrome security # Chromium vulnerability # Google chrome vulnerability # Phishing attack