Cybersecurity researchers from Trustwave SpiderLabs have discovered a new strain of malware that targets victim’s cryptocurrency wallets.
Dubbed Rilide, the malware poses as an extension for Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, or Opera.
The malware poses as a legitimate extension for Google Drive, and should people install it on their endpoints, they’d give the malware the ability to monitor their browsing history, grab screenshots, and even inject malicious scripts that would pull all of their money found in cryptocurrency exchanges.
What makes this malware unique is its ability to utilize “forged dialogs” to trick people into giving away their multi-factor authentication keys, and then pull cryptos while operating in the background. If the malware spots that the user has an account on a cryptocurrency exchange, it will try and make a withdrawal request in the background, while presenting the user with a forged device authentication dialog, to get the 2FA code.
Usually, cryptocurrency exchanges would also notify the users of withdrawal requests via email, which is also something this malware tries to hide. These email confirmations get replaced “on the fly”, the researchers said, as long as the user enters the mailbox using the same web browser. The request email is replaced with a device authorization request, tricking the victim into giving away the 2FA code.
For the researchers, the Rilide stealer is a “prime example” of how malicious browser extensions are getting more sophisticated, and more dangerous. Both businesses and consumers need to remain vigilant, in a time when too much information can dull our senses, the researchers conclude. Not all identities (opens in new tab) on the internet are legitimate:
“Informational overload can dull our ability to interpret facts accurately and make us more vulnerable to phishing attempts. It is important to remain vigilant and skeptical when receiving unsolicited emails or messages, and to never assume that any content on the Internet is safe, even if it appears to be.”