"Multiple attacker groups are using a malicious browser extension for Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera that's aimed at stealing cryptocurrency assets from multiple websites and online wallets. The extension works by injecting rogue code into websites locally in the browser to defeat two-factor authentication and delete automated alerts from mailboxes.
"Rilide is not the first malware SpiderLabs has observed using malicious browser extensions," researchers from Trustwave SpiderLabs said in a report. "Where this malware differs is it has the effective and rarely used ability to utilize forged dialogs to deceive users into revealing their two-factor authentication (2FA) and then withdraw cryptocurrencies in the background. During our investigation into Rilide’s origins, we uncovered similar browser extensions being advertised for sale. Additionally, we found that part of its source code was recently leaked on an underground forum due to a payment dispute."
Rilide distributed by other malware
The Trustwave researchers have seen other malware programs deploying Rilide on compromised computers, so it looks like it's being used as a secondary payload or a module as part of larger attacks.
In one campaign, attackers using Ekipa RAT, a remote access Trojan sold on underground forums, were seen deploying the Rilide extension via a Rust-based loader. The Ekipa RAT malware was distributed as a Microsoft Publisher file with malicious macros. Last year Microsoft started blocking Office macros from executing inside files downloaded from the internet -- files flagged by Windows with the Mark of the Web. However, Publisher was not one of the Office applications that received this change. This was corrected in February this year.
The Trustwave researchers believe that Rilide's distribution via Ekipa RAT was temporary and likely the result of attackers behind the extension testing different malware distribution platforms and options. That's because soon after the extension started being distributed through an infostealer program called Aurora.
Aurora is written in Go and is operated as a malware-as-a-service platform that's advertised on Russian-language cybercrime forums. The malware is capable of stealing data and credentials from multiple web browsers, cryptocurrency wallets and other local applications. Aurora was recently distributed through rogue advertisement through the Google Ads platform where it masqueraded as an installer for Teamviewer or NVIDIA Drivers.
Aurora is modular malware. One of the modules observed in recent samples contained an URL to download an executable file from a remote server. This file was the same loader written in Rust that was seen in the Ekipa RAT campaign and which is designed to download and deploy the Rilide extension.
The Rust-based loader achieves this by modifying the normal shortcuts (LNK) of the targeted browsers on the infected system to launch the browsers with the --load-extension parameter pointing to the malicious extension. That's because Chromium-based browsers don't support the installation of extensions that are not hosted in the official extension stores by default, but this can be overridden using that specific browser start parameter.
Stealthy cryptocurrency withdrawals with 2FA bypass
Once loaded by the browser, the Rilide extension masquerades as an extension for Google Drive. However, in the background it monitors the active tabs for a list of targeted websites which includes several popular cryptocurrency exchanges and email providers such as Gmail and Yahoo. When one of these websites is loaded, the extension strips the Content Security Policy (CSP) headers supplied by the real website and injects its own rogue code into the website to perform various content manipulations. Removing CSP is important because this is a mechanism that websites can use to tell browsers which scripts and from which origins should be allowed to execute in the context of the website.
One of the scripts injected into websites can take screenshots of the currently opened tabs and notify a command-and-control server when one of the active tabs matches one of the targeted websites. Other scripts automate the withdrawal of assets in the background while presenting the user with a fake dialog to input their two-factor authentication code.
When such actions are carried out many websites send automated emails with codes for the user to input back into the website to authorize the transaction. The extension is capable of replacing these emails in the Gmail, Hotmail or Yahoo web interfaces with emails that appear to have been sent to authorize a new device to access the account, which is also a process that uses the same 2FA workflow.
Users are likely to have been prompted before to reauthorize their browsers to access their accounts by receiving 2FA codes by email and inputting them back into the websites. This is a standard process that's triggered for security reasons, as authenticated sessions expire and the saved 2FA statuses periodically get reset. Therefore, the attackers aptly realized that users are not likely to become suspicious if they're prompted to reauthorize their browsers, but they would if prompted to authorize transfers or withdrawals, which is actually what's happening in the background.
Even if this 2FA hijacking technique is used in this case to support the theft of assets from cryptocurrency exchanges it can easily be adapted for any other types of websites that use email-based multi-factor authentication. This is another reason why organizations should pick more secure methods when deploying 2FA, even on third-party services, such mobile authenticator apps that generate codes on a separate device or physical USB-based authentication devices.
Informational overload can dull our ability to interpret facts accurately and make us more vulnerable to phishing attempts," the Trustwave researchers said. "It is important to remain vigilant and skeptical when receiving unsolicited emails or messages, and to never assume that any content on the Internet is safe, even if it appears to be."
Apr 4, 2023 1:52 pm PDT
Lucian Constantin, Senior Writer