It remains unclear whether there is any connection between the threat actors behind Ekipa RAT and those behind the Rilide infostealer, but it is probable that Ekipa RAT was tested as a means of distribution for Rilide before switching to Aurora stealer.
The Rilide extension has been delivered through two separate campaigns, with the first using malicious Google ads, documents with macros, the Aurora stealer, and the Ekipa RAT (remote access trojan). Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser, with the withdrawal request email replaced with a device authorization request tricking the user into providing the authorization code. While the withdrawal request is made in the background, the user is presented with a forged device authentication dialog to obtain 2FA. The extension aims to compromise email accounts, including Outlook, Yahoo, and Google, and cryptocurrency accounts, such as Kraken, Bitget, Coinbase, and more, by serving forged MFA requests.Īccording to security researchers Pawel Knapczyk and Wojciech Cieslak, Rilide’s crypto exchange scripts support an automatic withdrawal function. The Rilide extension is disguised as a legitimate Google Drive extension and is capable of collecting system information, exfiltrating browsing history, taking screenshots, and injecting malicious scripts. Security researchers from Trustwave SpiderLabs have discovered a new strain of malware called Rilide, which specifically targets users of Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Opera.
0 kommentar(er)
