Posted on April 7, 2023 at 8:46 AM

Researchers detect malicious browser extension that monitors browser activity and steals crypto

Cybersecurity researchers have detected a malicious browser extension known as Rilide. This extension targets Chromium-based products such as Brave, Google Chrome, Microsoft Edge, and Opera.

Researchers detect malicious browser extension

Browser extensions have, in the past, been associated with malware campaigns. Hackers are not relentlessly using these tools to conduct their malicious hacking attacks. The Rilide browser extension has become the latest victim of malware campaigns conducted by threat actors.

The malware in question has been created to monitor browser activity, capture screenshots and steal cryptocurrencies using scripts embedded in the web pages. According to the researchers, this malware could function without raising suspicion.

The malware was detected by researchers at Trustwave SpiderLabs, who said that the Rilide browser extension mimicked native Google Drive extensions to hide its activity in plain sight. The malware operated stealthily while exploiting the in-build Chrome functionalities.

The cybersecurity company noted that it had identified two separate campaigns that threat actors conducted to distribute Rilide. In one of the campaigns, the hacker was using Google Ads and Aurora stealer to load the extension through Rust loader. In the second campaign, the hackers distributed the malicious browser extension using the Ekipa remote access trojan (RAT).

The origin of this malware has yet to be established. However, the report by Trustwave said that the malware overlaps with similar extensions sold to hackers. Additionally, portions of the code of this malware were shared in an underground hacker forum. The code was leaked amid a conflict between hackers over a missed payment.

The Rilide malware loader alters the shortcut files in the web browser. This action automates the execution of the malicious extension that has been dropped on the compromised system. After the malware has been successfully executed on the targeted browser, it will run a script that will attach a listener to monitor the victim’s actions, such as switching tabs, accessing web content, or when the webpages have finished loading.

The malware in question also monitors the current site to ensure it matches the target list available through the command and control (C2) server. If a match is successful, the extension will load additional scripts embedded within the webpage. These scripts will steal information from the victim. The stolen information can include data related to email account credentials and cryptocurrencies.

The browser extension also can disable the “Content Security Policy.” The latter is a security feature that protects the target from cross-site scripting (XSS) attacks. The security feature can also freely load the external resources that the browser would normally block.

The other capability of this browser extension is that it can regularly exfiltrate the browsing history. It can also capture screenshots and send the images to the C2. The functionality of this malware shows that it poses a significant danger.

The malicious extension can bypass two-factor authentication

One of the interesting features of this browser extension is that it can be used to bypass the two-factor authentication system. The extension uses dialogs that have been altered to trick the victims into sharing their temporary codes.

The system will be activated after the victim requests to withdraw cryptocurrencies to an exchange service that Rilide targets. The malware will be automatically activated at this point to install the script in the background. The malware will process the withdrawal request automatically and steal cryptocurrencies.

After a user has keyed in their code on the fake dialog, it will be used by Rilide to finalize the withdrawal process to the wallet address used by the threat actor. The report published by Trustwave said that email confirmations are usually replaced on the fly after the user has entered the mailbox with the same web browser.

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser,” the report said. “The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”

The use of the Rilide extension by threat actors shows that hackers are becoming more sophisticated in launching these kinds of attacks. The malicious extensions feature live monitoring and automated money-stealing systems.

The launch of Manifest v3 on all the Chromium-based browsers will boost their ability to resist the attack launched using these malicious extensions. However, experts do not believe that this tool will solve the issue.