New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.

While sharing similarities with its predecessor, which was discovered by SpiderLabs and described in our previous blog, it exhibits a higher level of sophistication through modular design, code obfuscation, adaptation to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures. 

 We have identified campaigns in the wild which we will examine in detail:

• The first Rilide campaign seems to target corporate users through the use of a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin.
• The second campaign advertises fake P2E (Play To Earn) games using Twitter. A beta installer was found dropping Rilide and Redline Stealer.
• A third campaign from the last few days focuses on banking data of users in Australia and the UK, employing a unique method for loading extensions. Interestingly, we found that crypto token phishing sites from that campaign exclusively employed AngelDrainer scripts to steal cryptocurrencies from unsuspecting users' wallets. Further analysis revealed Twitter as a prominent distribution channel for these malicious activities.

During the investigation of Rilide's related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like BumbleBee, IceID, or Phorpiex.

Updates in the New Version of Rilide

As does its predecessor, the new Rilide stealer enables threat actors to carry out a broad spectrum of malicious activities, including enabling or disabling other browser extensions, retrieving browsing history and cookies, stealing login credentials, taking on demand screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

The biggest change is adoption to the Chrome Extension Manifest V3, described in the next section. This change required the complete refactor of the Rilide stealer’s main capabilities. The updated version of Rilide stealer malware was first observed by Trellix and tracked as ‘CookieGenesis’ in their report.

The commands configured in the Rilide extension packages observed are similar to those identified by Trellix, but the functionality has been extended with a new command called ‘screenshot_rules’ . This lets the attacker capture active tab screenshots for every time interval, according to predefined URL rules, allowing recording of sensitive data, such as credit card details entered during online transactions. Another interesting feature is the ability to exfiltrate stolen data to a Telegram channel.

Figure 1. Rilide Stealer plugin - Functionalities Adapted to Manifest V3

Below is the full set of Rilide commands that can be dispatched from the Command & Control server.

Table 1.  All Rilide Stealer plugin commands.

Rilide’s Adaptation to Manifest V3

As per the Chrome documentation ‘an extension manifest gives the browser information about the extension, such as the most important files and the capabilities the extension might use‘. This information is stored in the JSON-formatted file called manifest.json and located in the extension’s root directory.

Figure 2. Comparison of Rilide stealer manifest version V2 and V3

With the introduction of a Manifest V3 there are several features and functional changes for extensions compared to the previous version called Manifest V2.  With security in mind, one of the new major improvements is that extensions can’t load remote JavaScript code and execute arbitrary strings. Specifically, all logic must be included in the extension package thus allowing the more reliable and effective review process for the extensions submitted to the Chrome Web Store.

This is a big hit for the core functionality of Rilide, that relied on the injection of the remotely hosted scripts. The old approach leveraged in the previous version of Rilide does not work because it violates the minimum Content Security Policy applied for the extensions. It ensures that the extension will not run in-line JavaScript or be able to evaluate strings as executable code.

Figure 3. Violation of Content Security Policy, while loading script using the approach used in old version of Rilide.

However as described in the Extensions Security FAQ, execution of a remote code in extensions is a policy change for the developers distributing through the Chrome Web Store and not enforced by the Chromium browser. While there were additional restrictions implemented with the release of Manifest V3, there are known ways to execute remotely hosted code that are not considered a security bug. Extensions leveraging such workarounds should be rejected during the review process when submitted to the Chrome Web Store.

Figure 4. Paragraph from the Chromium Extensions Security FAQ confirming remotely hosted code execution in manifest V3.

The review processes are never 100% fault proof and Google is constantly removing malicious extensions from the Chrome Web Store. While threat actors may try to hide the parts of code responsible for the execution of remotely hosted code to pass the review process, this is not really an issue for Rilide, which is distributed via local loaders executed by unsuspecting users.

Developers of the Rilide malware used combination of few publicly disclosed techniques to achieve injection of a remotely hosted script.

The core of the functionality relies on use of inline events to execute malicious JavaScript code. This technique was described in a popular answer to the Stack Overflow topic around Chrome extensions content scripts.  Threat Actors used the exact code pattern shared in the answer.

Figure 5 Stack Overflow answer detailing the code execution via inline events, as observed in the new Rilide version.

Source: https://stackoverflow.com/a/9517879

To overcome the Content Security Policy, the developers used the Declarative Net Requests rules to remove the CSP headers. It’s worth noting that the headers are still displayed in the Network tab of the Developer Tools in Chrome, which may mislead the user trying to analyze suspicious behavior.

Code Obfuscation

With the refactor of the code, developers of Rilide malware applied modular code structure with the core capabilities in the /src/functions folder. However, we can see the similarities in naming conventions and C2 endpoints used by the malware.

Figure 6. Old and new versions of Rilide configured to initialize bots via the /api/machine/init endpoint.

Threat Actors applied obfuscation of code to evade detection and make analysis more difficult. They used custom strings obfuscation algorithms to make the code harder to understand. In version 1.8.7 they used a simple list with actual strings that was later subjected to a custom algorithm performing shift operations to get the elements in the list in the right order. In the code instead of using plaintext strings, a call to the function returning a string from the list is used.

Figure 7. Part of an obfuscated and deobfuscated routine to retrieve cookies values.

In the newest version the shifting algorithm got more complex. Strings were additionally encoded with a custom algorithm and RC4 encrypted.

In the Wild Campaigns

The Trustwave SpiderLabs team has identified numerous new campaigns leveraging Rilide malware.  Indicators of Compromise are present in the separate section at the end of this article. In the following section we present additional information on two interesting campaigns.

Figure 8. Rilide Stealer Campaigns Identified in the wild

Rilide Imitating Palo Alto Network’s GlobalProtect App

Two of the identified in the wild samples were imitating Palo Alto’s Global Protect App. The extensions are configured to communicate with C2 domain edd2ed2[.]online.

We identified a PowerPoint presentation with a step-by-step guide on how to install the Rilide extension from this campaign. Threat Actors use social engineering techniques and security-oriented lures to persuade victims into installing the malicious extension.

Figure 9. Phishing Presentation instructing users on how to install Rilide stealer disguised as GlobalProtect browser extension.

Figure 10. Phishing Presentation instructing users on how to install Rilide stealer disguised as GlobalProtect browser extension

Threat Actors also leveraged Rilide’s integration of the CursedChrome tool, turning the attacker browsers into fully functional HTTP proxies, allowing the attacker to browse the web authenticated as a victim. The CursedChrome Admin Panel was also observed on the server.

Figure 11. CursedChrome admin panel discovered on Rilide Stealer C2 server associated with fake GlobalProtect campaign

The SpiderLabs team has not determined the distribution system for this campaign. We assess that it might be still in development as of the time of this writing.

Imitation of a GlobalProtect app and additional materials prepared by threat actors suggests they may target corporate users, which differs from previously reported campaigns focused on stealing cryptocurrencies from regular users. The ability to additionally leverage tools like CursedChrome makes Rilide more interesting for the more advanced Threat Actors.

Figure 12. Rilide Stealer Extension Disguised as GlobalProtect

Rilide Targeting Twitter Users using Fake P2E (Play To Earn) Games

In this campaign threat actors advertise fake P2E (Play To Earn) games.  In such games players earn money by collecting NFTs and selling them for real money. Threat actors lured unsuspecting users also with airdrops of a small number of cryptocurrencies for the new users. The games are advertised on Twitter, with additional rewards for the users bringing in new players and retweeting the posts. To make the games more credible, the attackers created dedicated websites and Discord servers. Interestingly the “beta” access is not granted to everyone, but just to the selected individuals based on the Google Form answers. Users must share their Twitter handle and SOL wallets; it is unclear if this is done to add credibility or to pick the more prosperous targets. Upon execution the downloaded installer will drop Rilide and also Redline Stealer.

Figure 13. Twitter and Discord channels leading to Phishing Website Hosting Rilide Stealer

Rilide Targeting Users in Australia and UK with New Loader Variant

The SpiderLabs Team identified multiple extensions communicating with the C2 domain extensionsupdate[.]com, that was configured to target users in Australia and UK. One of the modules in Rilide malware is a form grabber, responsible for exfiltrating data submitted into forms on specific pages. The configuration stored on the C2 server targeted multiple Australian banks and payment providers.

Figure 14. Rilide C2 grabbers configuration

Table 2. Type of websites targeted by Rilide s grabber module as per C2 configuration.

Additionally, injection scripts configured on the server targeted domains of banks in the United Kingdom. However, those scripts were still in development as of time of this writing, but they indicate that threat actors may want to expand their targets to users located in the UK.

Figure 15. URLs for which injection scripts were configured on the Rilide C2 server

Figure 16. Injected Scripts targeting Banking Credentials of NAB AU and Barclays UK

Interestingly we identified a PowerShell loader installing extensions from this campaign with a new approach. In our previous blogpost we described a well-known technique of loading an extension via a –load-extension flag in Chromium based browsers. However, this technique does not install an extension permanently, when a browser is relaunched without this parameter the extension is not available. That's why the threat actors had to modify the shortcut files for the browsers, to ensure that user will open it with necessary parameter. In the new approach threat actors install the extension permanently, the result is as if the user installed the unpacked extension from the browser GUI.

The new techniques leverage modification of a JSON structured file holding part of Chrome’s settings, Secure Preferences.  In particular, this file contains information on the installed extensions, like the extension path on disk and its permissions. To ensure that external applications other than the browser cannot modify this file, Chromium introduced a security mechanism based on HMAC hashing. This mechanism is undocumented, however it was already reversed and explained by researchers from Chalmers University of Technology in their paper. To generate a valid HMAC hash, the attackers require two additional values other than the settings itself, seed stored in the resources.apk file and SID identifier of the current.

Figure 17. HMAC implementation in Chromium based browsers.

The hash values generated for single setting entries, like configuration of an extension, are called macs and stored in the Secure Preferences file to ensure their integrity. There is also a value called super_mac that is generated based on all other mac values to ensure the integrity of the entire file.

Figure 18. Extension settings and corresponding HMAC hash in the Secure Preferences file.

Additionally for the changes to be valid, the attacker must add the registry subkey holding additional HMAC hash of the extension settings in the HKCU:\SOFTWARE\Google\Chrome\PreferenceMACs\<Chrome_Profile>\extensions.settings key. In case of this hash the seed value is not retrieved from the resources.apk file, but rather a hardcoded value of “ChromeRegistryHashStoreValidationSeed”. This was described in a post from 2019 on a Russian forum, where the author explored the installation of an extension via Secure Preferences modification.

Figure19. Part of the Rilide PowerShell loader leveraging new installation technique.

Pivoting on the Campaign IOCs

The loader described in the previous section was downloading a malicious Rilide extension from a Bitbucket repository. Judging by the number of extension downloads in the repository and the fact that the loader was not detected as malicious by any of the engines on the Virustotal platform as of the time of this writing, it seems that the new loading technique turned out to be a success for the threat actors. 

Figure 20. Number of downloads of files stored in the Bitbucket repository.

Rilide C2 Infrastructure Hunt

The C2 Domain extensionsupdate[.]com used in the third campaign was registered using the NiceNIC.NET provider located in Hong Kong, China, and IP records pointed to a C2 server located in Moscow, Russia. Technical WHOIS details for the C2 domain were redacted for privacy, the registrant organization was not. The registrant organization, ‘Mihail Kolesnikov’ was associated with over 1200 other websites, all of them registered between December 2022 and July 2023 using NiceNIC.NET. Several websites were found to be serving malware such as IceID, Bumblebee or Phorpiex.

Figure 21. Rilide Stealer Infrastructure Pivot

Phorpiex Malware and 1337Team Limited Hosting

Two domains, eaougheofhuoaez[.]top and faugzeazdezgzgfm[.]top, were associated with IP addresses registered under the infamous ‘1337Team Limited’ a bulletproof hosting provider registered in Seychelles known for hosting various malicious campaigns. Our investigation revealed that these two domains were serving a 'Twizt' variant of Phorpiex, which features a cryptocurrency clipboard hijacking capability supporting more than 30 wallets for different blockchains.

Figure 22. View at the reconstructed Phorpiex sample code and clipboard hijacking routine

Phishing Campaigns using Twitter, Typo Squatting and SEO Poisoning

During our investigation of the infrastructure and thorough analysis of the domains registered by the threat actors, we uncovered multiple phishing websites that were deceiving users through the use of typo squatting and SEO poisoning techniques. We also came across numerous phishing websites serving legitimate AnyDesk software. This finding sparked intriguing connections when we correlated it with the Rilide referral codes found in configuration files. We uncovered a few campaigns labeled as 'Calls', suggesting that the attackers might be utilizing sociotechnical tactics, including actual calls to the victims. These calls could be used to guide the victims into accessing the phishing websites and provide instructions on how to run AnyDesk. Subsequently, the attackers may proceed to install Rilide extensions or possibly other types of malware. However, we can only speculate about the potential correlation at this point.

Figure 23. Phishing Website Serving Rilide Stealer.

Figure 24. Rilide related phishing website imitating hsbc bank, serving legitimate anydesk software.

We have discovered numerous phishing websites being promoted on Twitter as genuine cryptocurrency airdrops. Most of these websites were found to be utilizing the AngelDrainer crypto stealer script to siphon funds from connected wallets. Interestingly, the freshly established pages lacked any configuration keys, whereas the older ones employed the same key, leading us to believe they were associated with the primary attacker advertising as AngelDrainer on underground forums. Furthermore, during our investigation, we found that several website templates used in these attacks were copied using UrbanVPN.

Figure 25. Twitter posts leading to phishing websites containing angel drainer.

Figure 26. The attacker used UrbanVPN as proxy while copying legitimate websites to create phishing templates.

Figure 27. Angel drainer crypto stealer advertised on one of the underground forums.

Rilide sold on the Underground Forums

The Trustwave SpiderLabs team identified an actor with the nickname ‘friezer’ selling the Rilide extension and control panel on the XSS and Exploit forums for $5000 (price was dropped to the $3000 during promotion period). The first listings for that product appeared on the forums at the end of January 2023. The actor stated in one of the comments that no one uploads the extension to the Chrome Store and all his clients use self-written droppers. Lack of a dropper bundled together with the extension explains the number and variety of droppers observed in the wild.

The threat actor got into trouble in April, having arbitrage cases opened against him (part of an underground court like system) on both XSS and Exploit forums. One of such cases effectively led to his ban on the Exploit forum. Notably in one of such cases opened by a dissatisfied customer, he made a comment in his defense. He stated that the product got burned by the antivirus solutions on April 5th and he is making fixes for it to work again. That explains the new versions of Rilide with obfuscation of increasing complexity.

In our previous blog we mentioned that source code of the Rilide extension was leaked on the underground forum. At the end of April, we observed another actor getting access to the source code of the control panel and leaking it online. It is possible that threat actors other than the original developer picked up the development of this malware family. 

Figure 28. Rilide stealer control panel and grabbers view as advertised on xss forums

Figure 29. Rilide stealer control panel and installed extensions list view as advertised on xss forums.

Hunting for Rilide with Permhash

With an effort to better hunt, cluster, and pivot on malicious APKs and browser extensions, the team at Mandiant created a new framework called Permhash. It creates a hash value based on permissions assigned to the browser extension or an APK. Permhash has been added to the Virustotal platform. In the IOCs section we’ve identified Permhashes for Rilide malware. The malware is under continuous development and the permissions vary between the samples; however, we found the Permhash to correctly cluster different versions of Rilide and help in finding additional samples.

Figure 30. Permhash value of a Rilide sample on the Virustotal platform.

Indicators Of Compromise:

Rilide Stealer Extensions

Rilide C2 Domains

Rilide Permhashes

Rilide Loaders

Rilide Loaders ITW URLs

Fake P2E Games Domains