The malicious activities include monitoring browsing history, taking screenshots and stealing cryptocurrency through scripts injected into websites. Rilide impersonated benign Google Drive extensions to remain undetected while abusing built-in Chrome features. 

The cybersecurity company also found another operation that loaded the extension using a Rust loader by leveraging Google Ads and the Aurora Stealer. 

While the origin of the malware is still unknown, Trustwave reports that it shares similarities with extensions that are sold to cybercriminals. In addition, due to a dispute between hackers over an unsolved payment, some of its code was recently disclosed on a dark web forum. 

Hijacking Chromium-based Browsers 

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system. When the malware is executed, a script attaches a listener to monitor when the victim switches tabs, receives web content, or finishes loading a page. It also monitors if the current site matches a list of targets available from the command control (C2) server. 

If there is a match, the extension loads extra scripts that are injected into the webpage to steal the victim's cryptocurrency and email login information, among other details. Additionally, the extension disables the browser's "Content Security Policy," a security measure intended to guard against cross-site scripting (XSS) attacks to freely load external resources, usually restricted by the browser. 

Bypassing Two-factor Authentication 

Another interesting attribute of Rilide is its 2FA-bypassing system, used in producing bogus dialogs to lure victims into entering their temporary codes. The system is triggered once the victim has submitted a request for a cryptocurrency withdrawal to one of the exchange services that Rilide targets. 

Right when the script needs to be injected into the background to process the request automatically, malware enters the picture. Once the user has entered the code on the fake dialog, Rilide utilizes it to complete the withdrawal process to the hacker’s wallet address. 

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser[…]The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code,” the Trustwave report explains. 

This way, Rilide has highlighted the growing threat possessed by malicious browser extensions, which now include live monitoring and automated money-stealing systems. 

How can You Protect Yourself From Malicious Browser Extensions?

In regards to the issue, Trustwave SpiderLabs noted that Google enforcing Manifest V3 might aid in making it difficult for the threat actors to use malicious extensions to organize attacks. However, it would not solve the issue entirely as “most of the functionalities leveraged by Rilide will still be available,” the researchers added. 

In order to protect yourself, it has been advised to use the best antivirus software, that would help in preventing your system from getting infected or having your data compromised. Similarly, a good identity theft protection service can help restore your stolen identity or funds stolen by hackers. 

Moreover, when installing new browser extensions, one must only rely on using trusted sources such as Chrome Web Store or the Microsoft Edge Add-ons store.