Rilide browser extension steals MFA codes

Cryptocurrency thieves are targeting users of Chromium-based browsers – Google Chrome, Microsoft Edge, Brave Browser, and Opera – with an extension that steals credentials and can grab multi-factor authentication (MFA) codes.

The malicious extension

Dubbed Rilide by Trustwave researchers, the extension mimics the legitimate Google Drive extension while, in the background, it disables the Content Security Policy (CSP), collects system information, exfiltrates browsing history, takes screenshots, and injects malicious scripts.

It aims to allow attackers to compromise email (Outlook, Yahoo, Google) accounts by serving forged email confirmations, and crypto-related accounts (Kraken, Bitget, Coinbase, etc.) by serving forged MFA requests.

“Rilide’s crypto exchange scripts support automatic withdrawal function. While the withdrawal request is made in the background, the user is presented with forged device authentication dialog in order to obtain 2FA,” security researchers Pawel Knapczyk and Wojciech Cieslak explained.

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser. The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”

Different campaigns deliver the threat

The malicious extension has been spotted being delivered via two separate campaigns, involving malicious Google ads, documents with macros, the Aurora stealer and the Ekipa RAT (remote access trojan):

Two distinct delivery campaigns (Source: Trustwave SpiderLabs)

“Any association between the threat actors behind Ekipa RAT and those using the Rilide infostealer remains unclear. However, it is probable that Ekipa RAT was tested as a means of distribution for Rilide, before finally switching to Aurora stealer,” they noted.