2FA Codes and Passwords are Stolen by the Rilide Virus

2FA Codes and Passwords are Stolen by the Rilide Virus

Hackers are once more utilizing a new malware strain created to steal sensitive user data to attack Chromium-based browsers like Google Chrome, Microsoft Edge, and others.

Security experts at Trustwave SpiderLabs have named the malware Rilide and explained in a new report(opens in new tab) that it is capable of performing a variety of malicious tasks, such as tracking browsing history, taking screenshots, and stealing cryptocurrency using scripts injected into websites.

According to BleepingComputer, the Rilide virus is disseminated using a phony Google Drive browser extension, but the cybersecurity company also found another operation that abused Google Ads and the Aurora Stealer to load the extension using a Rust loader. (opens in new tab).

Given that Trustwave did discover a post on a hacker site in March of last year advertising a botnet with comparable capabilities, this would suggest that Rilide’s developers are employing a Malware-as-a-Service business model to sell the malware to other cybercriminals who then use it in their own assaults.

2FA Codes and Passwords are Stolen by the Rilide Virus

Rilide is undoubtedly a malware strain to be on the lookout for in any case, especially given that it has the ability to intercept two-factor authentication (2FA) codes and hijack both email and cryptocurrency accounts.

Hijacking Chromium-based browsers: To automate the malicious browser extension that the virus drops onto affected devices, Rilide’s loader alters the shortcut files in Chrome or Edge.

It then executes a script that detects when a person infected with the virus switches tabs, gets web content, or when a web page finishes loading. At the same time, it checks to see if the website a user is visiting matches a list of targets on a command and control (C&C) server owned by the campaign’s hackers.

When one of the sites matches, the malicious extension runs extra scripts that are injected into a web page to collect sensitive information from victims such as crypto, email account passwords, and other information.

The Rilide-discontinued extension even has the ability to disable the “Content Security Policy” security measure, which guards against cross-site scripting (XSS) threats. This enables it to access outside resources that your browser would often restrict.

Stealing digital cash is one skill Rilide excels at. It accomplishes this by tricking victims into entering their temporary codes via phony dialog. Once a victim attempts to withdraw cryptocurrency from a cryptocurrency exchange, this mechanism is activated.

Surprisingly, if a victim accesses their email using the same browser they frequently do, the Rilide virus may also change email confirmations in the victim’s inbox.

How to Avoid Malicious Browser Extensions: Trustwave SpiderLabs notes in its analysis on the subject that when Google begins enforcing Manifest V3, it may make it more difficult for hackers to employ harmful extensions in their assaults. However, it would not completely alleviate the problem because “the majority of the functionalities leveraged by Rilide will remain available.”

When it comes to safeguarding yourself from harmful browser extensions, the finest antivirus software can help avoid malware infection or data theft. Similarly, the top identity theft protection services can assist you in recovering lost cash taken by hackers and restoring your identity if it has been stolen.

You should only install new browser extensions from reputable sources, such as the Chrome Web Store or the Microsoft Edge Add-ons store. It’s also a good idea to restrict the number of extensions you have loaded in your browser, just as you should avoid installing superfluous apps on your smartphone.

Given the sophistication of the Rilide virus and the malicious browser extension it employs, this is unlikely to be the last time we hear of it being used in an attack.