Riligy malware is disguised as a legitimate Google Drive extension and allows attackers to capture screenshots, monitor users’ browsing history, and inject malicious scripts to steal funds from cryptocurrency wallets.
The cybersecurity researchers at Trustwave SpiderLabs have disclosed alarming details on a new strain of Rilide malware that targets Chromium-based browsers to steal cryptocurrency funds and monitor users browsing activities.
In the newly discovered campaign, SpiderLabs researchers noticed that threat actors have created legitimate-looking Google Drive extension that hides Rilide malware.
SpiderLabs researchers believe Rilide malware is unique because of its capability of generating dialogues to trick users into giving away their 2FA keys. This is a rare feature that helps the attacker withdraw cryptocurrencies discreetly.
In addition to this, the malware also allows attackers to carry out an extensive range of activities, including capturing screenshots, monitoring users’ browsing history, and injecting malicious scripts to steal funds from cryptocurrency wallets.
The researchers have confirmed that Rilide malware targets Chromium-based browsers, including Microsoft Edge, Google Chrome, and Opera to achieve its malicious objectives.
The fact that Google Drive is being used maliciously is not surprising. A study conducted last year found that 50% of all malicious Office document downloads were from Google Drive. Another study revealed that Apple Safari was the safest browser while Google Chrome was the riskiest browser in 2022.
As for Rilide malware, during their investigation, SpiderLabs researchers detected multiple such extensions for sale in March 2022. They also noted that a portion of Rilie malware source code was recently leaked by someone on an underground hacking forum over payment issues.
This leaked code can swap cryptocurrency wallet addresses from the clipboard with the attacker’s address. Moreover, the C2 address embedded in the Rilide code can identify GitHub repositories belonging to a user named gulantin, which contains the extension’s loader.
Attack Chain
Researchers have detected two attack methods to install the malicious extension, Ekipa RAT and Aurora Stealer. Ekipa RAT is distributed through booby-trapped Microsoft Publisher documents, whereas fake Google Ads serve as Aurora Stealer’s distributor.
Their attack chains encourage the execution of a Rust-based loader, which can modify the browsers’ LNK shortcut file and launch the add-on using the “–load-extension” command line switch.
Ekipa RAT can carry out targeted attacks. Conversely, Aurora, first spotted in April 2022 on Russian-speaking underground forums, is a Go-based stealer offered as a Malware-as-a-Service (Maas) tool. It can take data from different web browsers, local systems, and cryptocurrency wallets.
“The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose,” the report read.
