Malicious browser extensions have become a common occurrence in recent years, with hackers using them to steal private information and even money. Trustwave SpiderLabs cybersecurity researchers have discovered a new strain of malware that targets cryptocurrency wallets. Rilide malware, which masquerades as a Google Drive extension for Chromium-based browsers, can monitor a victim’s browsing history, capture screenshots, and even inject malicious scripts to withdraw money from cryptocurrency exchanges if installed.
Rilide installs a script that monitors the victim’s actions, such as when they switch tabs, receive web content, or finish loading pages. If the current site matches a list of targets available from the command and control (C2) server, the extension loads additional scripts that can steal cryptocurrency, email account credentials, and other sensitive information.