Threat Research

A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors | Mandiant

Securonix

Mandiant outlines a chain where a tampered LNK shortcut launches a legitimate Chromium-based browser, loading a malicious extension to achieve persistence. The research tracks multiple malware families—RILIDE, BRAINFOG, BRAINSTORM, and BRAINLINK—and details their operations, infrastructure, and detection opportunities to bolster defender hunting.
#LNK #RILIDE #BRAINFOG #BRAINLINK #BRAINSTORM #TradingView #UNC4553

Keypoints

  • The attacker chain uses a manipulated LNK shortcut to invoke a browser, then loads a malicious extension via the browser’s load-extension mechanism.
  • The LNK-CRX abuse enables persistence by embedding a Chromium-based extension (RILIDE) in the browser session.
  • Mandiant identifies RILIDE (a Chromium-based extension), BRAINFOG (a Rust dropper), and BRAINLINK as components in the ecosystem, with activities extending to cryptocurrency and email theft.
  • TradingView-related targeting and financial/banking domains are prominent in the infrastructure and C2 relations, including open directories and multiple domains.
  • Chrome/Extensibility abuse is mitigated by enterprise controls, with numerous detection opportunities (YARA rules, process and file-write alerts) outlined in Appendix A.
  • Open directories and C2 domains (e.g., ashgrrwt.click, extenision-app.com) illustrate the breadth of the infrastructure behind RILIDE and related families.

MITRE Techniques

  • [T1023] Shortcut Modification – The LNK file tampering and user-initiated execution lead to launching a browser with a malicious extension (‘The user executes an LNK shortcut file that, unbeknownst to them, has been tampered with.’).
  • [T1204.002] User Execution: Malicious File – The user action of running the tampered LNK shortcut initiates the chain.
  • [T1059.003] Windows Command Shell – The –load-extension commands shown (e.g., chrome.exe –load-extension=”C:Users…”) demonstrate command-line invocation to load a malicious extension (‘The –load-extension switch allows the source to specify a target directory to load as an extension.’).
  • [T1036] Masquerading – Abuses and disguises legitimate software (e.g., TradingView Desktop masquerading set of files) to conceal malicious activity (‘TradingView Desktop is a charting platform…’ and references to masquerading files).

Indicators of Compromise

  • [Domain] telegromcn[.]org – Telegram masquerading URL used in a dropper link for extension delivery (‘Telegram masquerading URL’).
  • [Domain] extenision-app[.]com – C2/API endpoints used by RILIDE (‘…api/settings’, etc.).
  • [Domain] ashgrrwt[.]click – RILIDE C2 domain used in the open-directory infrastructure (‘const domain = “https://ashgrrwt.click”‘).
  • [Domain] nch-software[.]info – Open Directory domain associated with BRAINSTORM/BRAINFOG activities.
  • [IP] 146.70.79[.]75 – Open Directory host with multiple sample downloads (‘Open Directory’).
  • [IP] 104.168.167[.]25 – Open Directory host (‘Open Directory’).
  • [IP] 89.185.85[.]144 – C2-related host (‘C2 A Record’).
  • [File Hash] 0a4f321c903a7fbc59566918c12aca09 – BRAINSTORM sample in open directory.
  • [File Hash] 34eea751fcbf4ee8d44977adb4742d93 – BRAINSTORM sample in open directory.
  • [File Name] TradeVlewDesktop_x64.exe – NodeJS-based downloader in TradingView masquerade package.
  • [URL] hxxp://telegromcn[.]org/soft/analytics/extension[.]exe – Telegram masquerading dropper URL.
  • [URL] hxxp://extenision-app[.]com/api/machine/init – RILIDE C2 endpoint.

Read more: https://www.mandiant.com/resources/blog/lnk-between-browsers