Bitcoin
Bitcoin (BTC)
$90,193.00 -0.91854
Bitcoin price
Ethereum
Ethereum (ETH)
$3,084.40 -2.72754
Ethereum price
BNB
BNB (BNB)
$624.13 -0.79503
BNB price
Solana
Solana (SOL)
$232.53 6.83667
Solana price
XRP
XRP (XRP)
$1.10 -3.68938
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000247 -0.38315
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000211 -2.47123
Pepe price
Bonk
Bonk (BONK)
$0.0000527 29.63425
Bonk price
dogwifhat
dogwifhat (WIF)
$3.80 2.52368
dogwifhat price
Popcat
Popcat (POPCAT)
$1.90 4.74142
Popcat price
Bitcoin
Bitcoin (BTC)
$90,193.00 -0.91854
Bitcoin price
Ethereum
Ethereum (ETH)
$3,084.40 -2.72754
Ethereum price
BNB
BNB (BNB)
$624.13 -0.79503
BNB price
Solana
Solana (SOL)
$232.53 6.83667
Solana price
XRP
XRP (XRP)
$1.10 -3.68938
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000247 -0.38315
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000211 -2.47123
Pepe price
Bonk
Bonk (BONK)
$0.0000527 29.63425
Bonk price
dogwifhat
dogwifhat (WIF)
$3.80 2.52368
dogwifhat price
Popcat
Popcat (POPCAT)
$1.90 4.74142
Popcat price
Bitcoin
Bitcoin (BTC)
$90,193.00 -0.91854
Bitcoin price
Ethereum
Ethereum (ETH)
$3,084.40 -2.72754
Ethereum price
BNB
BNB (BNB)
$624.13 -0.79503
BNB price
Solana
Solana (SOL)
$232.53 6.83667
Solana price
XRP
XRP (XRP)
$1.10 -3.68938
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000247 -0.38315
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000211 -2.47123
Pepe price
Bonk
Bonk (BONK)
$0.0000527 29.63425
Bonk price
dogwifhat
dogwifhat (WIF)
$3.80 2.52368
dogwifhat price
Popcat
Popcat (POPCAT)
$1.90 4.74142
Popcat price
Bitcoin
Bitcoin (BTC)
$90,193.00 -0.91854
Bitcoin price
Ethereum
Ethereum (ETH)
$3,084.40 -2.72754
Ethereum price
BNB
BNB (BNB)
$624.13 -0.79503
BNB price
Solana
Solana (SOL)
$232.53 6.83667
Solana price
XRP
XRP (XRP)
$1.10 -3.68938
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000247 -0.38315
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000211 -2.47123
Pepe price
Bonk
Bonk (BONK)
$0.0000527 29.63425
Bonk price
dogwifhat
dogwifhat (WIF)
$3.80 2.52368
dogwifhat price
Popcat
Popcat (POPCAT)
$1.90 4.74142
Popcat price

New virus automatically empties crypto exchange accounts

new-virus-automatically-empties-crypto-exchange-accounts
Edited by
Follow-up
New virus automatically empties crypto exchange accounts

Rilide masquerades as a legitimate Google Drive extension and allows cybercriminals to carry out a variety of activities including getting browsing history data, taking screenshots, and withdrawing funds from various cryptocurrency exchanges.

Cybersecurity researchers at Trustwave SpiderLabs have discovered a new strain of malware called Rilide that targets Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Opera and steals users’ cryptocurrencies.

Rilide virus impacts crypto holders

Rilide differs from other malware strains that SpiderLabs has encountered in that it employs forged dialogs to deceive users into handing off their revealing their two-factor authentication (2FA) codes. This allows the malware to withdraw cryptocurrencies in the background without the user’s knowledge.

During the investigation into Rilide’s origins, the researchers found similar browser extensions being advertised for sale and discovered that part of its code was recently released on an underground forum due to a payment dispute.

The researchers uncovered two malicious campaigns that lead to the installation of the Rilide extension. One such campaign involved a module that contained an encoded blob of data storing the URL for the Rilide loader.

The payload, which was hosted on Discord CDN, was saved to the %temp% directory and executed via the start-process PowerShell cmdlet.

Rilide leverages a Rust loader to install the extension if a Chromium-based browser is detected. The loader modifies shortcut files opening targeted web browsers, so that they are executed with the parameter –load-extension that points to the dropped malicious Rilide extension.

The malware’s background script attaches a listener to certain events and removes the Content Security Policy (CSP) directive for all requests, allowing the extension to perform an attack and load external resources that would be blocked by the CSP without such an approach.

Rilide’s crypto exchange scripts support a withdrawal function. While the withdrawals are processed in the background, the user is presented with a forged device authentication dialog to obtain their 2FA code. Email confirmations are replaced on the fly if the user enters their mailbox using the same web browser, tricking the user into providing the authorization code.

In the course of their research, SpiderLabs found several stealer extensions for sale with capabilities similar to Rilide, but they were unable to definitively link any of them to the malware. They also discovered a botnet sale advertisement from an underground forum dated March 2022, which included features such as a reverse proxy and ad clicker.

The botnet’s automatic withdrawal function attacked the same exchanges observed in the Rilide samples.

Rilide serves as a prime example of the developing sophistication of malicious browser extensions and the dangers they pose. Although the upcoming enforcement of manifest v3 may pose more challenges for threat actors to operate, it is rather unlikely to solve the issue completely, as most of the functionalities leveraged by Rilide will still be available.

To protect against such threats, it is essential to remain vigilant when receiving unsolicited emails or messages, and to stay informed about the latest cybersecurity threats and safety practices to minimize the risk of falling victim to phishing attacks.