New Crypto Virus Rilide Drains Crypto Exchange Accounts

New Crypto Virus Rilide Drains Crypto Exchange Accounts

10 April 2023

In recent years, the digital landscape has seen a surge in cyber threats and attacks, with phishing schemes becoming increasingly frequent and sophisticated. Cybercriminals constantly evolve their tactics and techniques, aiming to exploit unsuspecting individuals and organizations by targeting their most valuable assets.

A new crypto virus Rilide has been spreading fear across the crypto community, as it automatically empties users’ accounts and takes their hard-earned funds.

What Is Rilide All About?

A new strain of malware known as Rilide has been discovered by cybersecurity researchers at Trustwave SpiderLabs, targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera and stealing users’ cryptocurrencies. Crypto virus Rilide masquerades as a legitimate Google Drive extension, enabling cybercriminals to conduct various malicious activities, including obtaining browsing history data, capturing screenshots, and withdrawing funds from different cryptocurrency exchanges.

How Does The New Crypto Virus Rilide Work?

The Rilide loader changes the shortcut files for the affected web browsers, allowing the malicious extension to be dumped on the vulnerable system and automatically executed when opening the browser.

Upon launch, the virus executes a script, attaching a listener that detects when the victim changes tabs, gets content, or sites completes loading. It also compares the current location to a database of targets stored on the C2 server. The extension will load malicious JavaScript into the website to steal the user’s cryptocurrency, email credentials, or other sensitive information if a match is found. The extension also disables the browser’s ‘Content Security Policy,’ a security feature meant to prevent cross-site scripting (XSS) assaults, to allow the loading of potentially malicious external resources. Moreover, the extension may take screenshots and transfer them to the C2 and periodically leaks browser history. 

Rilide’s 2FA-bypassing method is also noteworthy since it employs faked dialogs to trick victims into inputting their temporary codes. The mechanism is triggered when a victim requests a cryptocurrency withdrawal from an exchange provider that Rilide is actively attacking. 

The virus injects the script in the background at just the appropriate time, automatically handling the request. Once the user inputs their code on the false window, Rilide utilizes it to finalize the withdrawal to the threat actor’s wallet address.

Similarly, if the user logs into their inbox using the same web browser, any confirmation or device authorization request emails they have received will be instantly replaced.

During their research, SpiderLabs also discovered a botnet sale advertisement from an underground forum dated March 2022, which included features such as a reverse proxy and ad clicker. The botnet’s automatic withdrawal function attacked the same exchanges observed in the Rilide samples.

The Bottom Line

Overall, Rilide illustrates the growing complexity of malicious browser extensions, which increasingly feature real-time surveillance and automated monetary theft systems.

Staying educated on the most recent cybersecurity dangers and best practices will help reduce the likelihood of falling for a phishing attempt and protect your personal information.

< Back