Over the past few years, malicious browser extensions have become a common phenomenon, with hackers using them to steal private information and even money. Now, cybersecurity researchers from Trustwave SpiderLabs have discovered a new strain of malware that targets cryptocurrency wallets. Dubbed Rilide, this malware poses as a Google Drive extension for Chromium-based browsers, and if installed, it can monitor a victim’s browsing history, capture screenshots, and even inject malicious scripts to withdraw money from cryptocurrency exchanges.
How does Rilide work?
Once Rilide is installed, it runs a script that monitors the victim’s actions, such as when they switch tabs or when web content is received or pages finish loading. So if the current site matches a list of targets available from the command and control (C2) server, the extension loads additional scripts that can steal information related to cryptocurrencies, email account credentials, and more. Additionally, the extension also disables the “Content Security Policy” on the targeted websites, which protects users against cross-site scripting attacks by blocking the installation of external resources.
Trustwave says they found two separate campaigns that distributed the malware. One campaign used Google Ads and Aurora Stealer to load the extension via a Rust loader, while the other campaign used the Ekipa remote access trojan (RAT) to distribute the malware.
Evading 2FA
What sets Rilide apart is how it uses “forged dialogs” to trick users into giving away their multi-factor authentication keys. Therefore, when the malware detects that a user has a cryptocurrency exchange account, it attempts to make a withdrawal request in the background while presenting a forged device authentication dialog to obtain the 2FA code. The extension also replaces email confirmations with device authorization requests, thus tricking the user into providing the authorization code.
To reduce the risk of falling victim to malware like Rilide, it’s crucial to install extensions only from reputable sources and to review and regularly uninstall any unnecessary extensions. Additionally, users should keep their browser and operating system up to date with the latest security patches and use reliable antivirus software.
The post New „Rilide” malware targets cryptocurrency wallets through browser extensions appeared first on Android Headlines.

Source: ndroidheadlines.com