Rilide malware is stealing 2FA codes and passwords — what you need to know
Hackers are once again targeting Chromium-based browsers like Google Chrome, Microsoft Edge and others using a new malware strain designed to syphon off sensitive user data.
The malware itself has been dubbed Rilide by security researchers at Trustwave SpiderLabs who explained in a new report (opens in new tab) that it can carry out a wide range of malicious activities including monitoring browsing history, taking screenshots and stealing cryptocurrency using scripts injected into websites.
Although the Rilide malware is being spread through a fake Google Drive browser extension, the cybersecurity firm also discovered another campaign abusing Google Ads and the Aurora Stealer to load the extension using a Rust loader according to BleepingComputer (opens in new tab).
This could indicate that its creators are using a Malware-as-a-Service business model to sell Rilide to other cybercriminals who then use it in their own attacks since Trustwave did find a post on a hacking forum in March of last year advertising a botnet with similar capabilities.
Either way, Rilide is certainly a malware strain to look out for, especially since it’s able to intercept two-factor authentication (2FA) codes and take over both email and crypto accounts.
Hijacking Chromium-based browsers
The loader used by Rilide modifies the browser shortcut files in Chrome or Edge to automate the malicious browser extension dropped onto infected systems by the malware.
From here, it runs a script that monitors when a user infected by the malware switches tabs, receives content from the web or when a web page finishes loading. At the same time, it also checks if the website a user is on matches a list of targets on a command and control (C&C) server controlled by the hackers behind the campaign.
When one of the sites is a match, the malicious extension then loads additional scripts that are injected into a web page to steal sensitive information from victims related to crypto, their email account credentials and more.
The extension dropped by Rilide can even disable a security feature called “Content Security Policy” which is used to protect against cross site scripting (XSS) attacks. This allows it to load external…