Rilide is a malicious browser extension, formerly CookieGenesis, that harvests credentials, steals cookies, and uses multiple C2 channels including Telegram and blockchain transactions. Four groups are identified leveraging Rilide with distinct targets in cryptocurrency and financial services, highlighting a diversified attack framework and distribution methods.
#Rilide #CookieGenesis #MageCart #Telegram #Blockchain #PPI
#Rilide #CookieGenesis #MageCart #Telegram #Blockchain #PPI
Keypoints
- Rilide is a malicious browser extension focused on credential harvesting and cookie theft.
- It uses a web-inject system and local proxy attacks (CursedChrome).
- Multiple C2 methods are used, including Telegram and blockchain transactions.
- Four groups are identified deploying Rilide, each with unique targets and methods.
- Group 1 distributes via a PPI service and targets various online services.
- Group 2 targets enterprise credentials and uses Telegram for C2 communication.
- Group 3 appears Spanish-focused with cloud-based browser extension delivery; Group 4 uses blockchain wallets for C2 and overlaps MageCart activity.
- Indicators of compromise include numerous malicious domains linked to the groups.
MITRE Techniques
- [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘Credential harvesting from various online services and applications.’)
- [T1213] Data from Information Repositories – Brief description of how it was used. Quote relevant content using bracket (‘Gathering sensitive information from compromised systems.’)
- [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘Utilizing Telegram and blockchain for command and control communication.’)
- [T1176] Browser Extensions – Brief description of how it was used. Quote relevant content using bracket (‘Malicious browser extensions used for data exfiltration and manipulation.’)
- [T1102] Web Service – Brief description of how it was used. Quote relevant content using bracket (‘Using web services for data exfiltration and command execution.’)
Indicators of Compromise
- [Domains] Context – gzipdot.com, dot4net.com, and other malicious domains associated with the groups
- [Bitcoin Addresses] Context – 1BciVyU1g7TdD5Mo2t7DsLHVjyAkBhSxhw, 1BciVyU1eHXhEKpkJgHyt7hU381yFJHyA1
- [Litecoin Wallet] Context – La3oY9mQfb4AcBg1Wq5g34utrPRXQ4zmS1
- [Telegram Channel] Context – -1002236545487 (Group 1 C2 channel)
Read more: https://medium.com/walmartglobaltech/diving-into-rilide-02684e540b48