Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Watch out - that PowerPoint link could be Chrome malware

Google Chrome

Cybersecurity researchers from Trustwave Spiderlabs have discovered an updated version of the infamous Rilide Stealer, a malicious Google Chrome extension capable of stealing people’s login credentials, banking accounts, and cryptocurrencies stored in wallet add-ons.

The extension works on Chromium-based browsers, including Chrome, Edge, Brave, and Opera. While malicious extensions are nothing new, the distribution method for this particular version is somewhat original.

According to the researchers’ report, the threat actors were distributing phishing emails, impersonating VPN products and firewall service providers, such as Palo Alto’s GlobalProtect App. In the emails, they’d warn the recipients of a cyber-threat lurking in the wild and offer guidance, through a PowerPoint presentation, on how to install the legitimate extension and thus ensure the safety of their endpoints. However, the links provided in the PP presentation lead straight to the malware.

Bypassing Chrome Extension Manifest V3

If the victims fall for the trick and install Rilide, the malware targets multiple banks, payment providers, email service providers, cryptocurrency exchange platforms, VPNs, and cloud service providers, BleepingComputer reports. The malware works by using injection scripts and focuses mostly on targets living in Australia and the United Kingdom. 

The new version of the malware is also interesting because it successfully bypasses Chrome Extension Manifest V3 - Google’s newly introduced extension restrictions that were supposed to protect users from malicious add-ons.

(Image credit: Shutterstock)

The stolen data is then exfiltrated to a Telegram channel, or delivered through screenshots to a pre-determined C2 server. 

The researchers don’t know exactly who is behind this campaign, as Rilide is a commodity malware, being sold on hacker forums, and most likely used in different campaigns. In this particular instance, the attackers generated more than 1,500 phishing pages (with typosquatted domains) and promoted them via SEO poisoning on trusted search engines. They also impersonated banks and service providers to get the victims to type in their login details. 

Twitter is also being abused for the campaign, luring people to phishing websites for fraudulent play-to-earn blockchain games.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.