Attackers Using Rilide Malware to Bypass Two-Factor Authentication and Steal Cryptocurrency

NEW DELHI: Malware using malicious browser extensions is being used to steal cryptocurrency assets from multiple websites and online wallets. The extension injects rogue code into websites to defeat two-factor authentication and delete automated alerts from mailboxes.

Researchers from Trustwave SpiderLabs found that the malware, called Rilide, has the effective and rarely used ability to utilize forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background. Rilide has been observed being distributed through other malware programs, such as the Ekipa RAT, and is likely being used as a secondary payload or module as part of larger attacks.

One campaign saw attackers using the Ekipa RAT to distribute the Rilide extension via a Rust-based loader. Rilide is modular malware that was distributed through an infostealer program called Aurora. This malware is capable of stealing data and credentials from multiple web browsers, cryptocurrency wallets, and other local applications. It was distributed through rogue advertisements on the Google Ads platform, where it masqueraded as an installer for Teamviewer or NVIDIA Drivers.

ALSO READ: Want To Become A Future Crime Researcher? Join The Future Crime Research Foundation

Once loaded by the browser, the Rilide extension masquerades as an extension for Google Drive and monitors active tabs for a list of targeted websites, including popular cryptocurrency exchanges and email providers such as Gmail and Yahoo. The extension removes Content Security Policy (CSP) headers supplied by the real website and injects its own rogue code into the website to perform various content manipulations. It can take screenshots of the currently opened tabs and notify a command-and-control server when one of the active tabs matches one of the targeted websites. Other scripts automate the withdrawal of assets in the background while presenting the user with a fake dialog to input their two-factor authentication code.

What Is Rilide

Rilide is a malicious browser extension for Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera that is designed to steal cryptocurrency assets from multiple websites and online wallets. It works by injecting rogue code into websites locally in the browser to defeat two-factor authentication and delete automated alerts from mailboxes. Rilide is not the first malware of its kind, but what sets it apart is its effective use of forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background. The extension is distributed through other malware, including the Ekipa RAT remote access Trojan and the Aurora malware-as-a-service platform. The Rilide extension is loaded by modifying the normal shortcuts (LNK) of targeted browsers on the infected system to launch the browsers with the –load-extension parameter pointing to the malicious extension.

ALSO READ: Cyber Crime Helpline: Reporting Cyber Crime In India? Keep This Information Ready Before Calling 1930!

The Trustwave researchers recommend that organizations pick more secure methods when deploying 2FA, such as mobile authenticator apps that generate codes on a separate device or physical USB-based authentication devices. Users should remain vigilant and skeptical when receiving unsolicited emails or messages and never assume that any content on the internet is safe, even if it appears to be.

Important Points:

• Malware using malicious browser extensions is being used to steal cryptocurrency assets from multiple websites and online wallets.
• The Rilide extension is being distributed through other malware programs, such as the Ekipa RAT, and is likely being used as a secondary payload or module as part of larger attacks.
• Rilide is modular malware that was distributed through an infostealer program called Aurora.
• The extension masquerades as an extension for Google Drive and monitors active tabs for a list of targeted websites, including popular cryptocurrency exchanges and email providers such as Gmail and Yahoo.
• The Trustwave researchers recommend that organizations pick more secure methods when deploying 2FA, such as mobile authenticator apps that generate codes on a separate device or physical USB-based authentication devices.

Follow The420.in on

 Telegram | Facebook | Twitter | LinkedIn | Instagram | YouTube