Watch out - that PowerPoint link could be Chrome malware

Google Chrome
(Image credit: Shutterstock)

Cybersecurity researchers from Trustwave Spiderlabs have discovered an updated version of the infamous Rilide Stealer, a malicious Google Chrome extension capable of stealing people’s login credentials, banking accounts, and cryptocurrencies stored in wallet add-ons.

The extension works on Chromium-based browsers, including Chrome, Edge, Brave, and Opera. While malicious extensions are nothing new, the distribution method for this particular version is somewhat original.

According to the researchers’ report, the threat actors were distributing phishing emails, impersonating VPN products and firewall service providers, such as Palo Alto’s GlobalProtect App. In the emails, they’d warn the recipients of a cyber-threat lurking in the wild and offer guidance, through a PowerPoint presentation, on how to install the legitimate extension and thus ensure the safety of their endpoints. However, the links provided in the PP presentation lead straight to the malware.

Bypassing Chrome Extension Manifest V3

If the victims fall for the trick and install Rilide, the malware targets multiple banks, payment providers, email service providers, cryptocurrency exchange platforms, VPNs, and cloud service providers, BleepingComputer reports. The malware works by using injection scripts and focuses mostly on targets living in Australia and the United Kingdom. 

The new version of the malware is also interesting because it successfully bypasses Chrome Extension Manifest V3 - Google’s newly introduced extension restrictions that were supposed to protect users from malicious add-ons.


(Image credit: Shutterstock)

The stolen data is then exfiltrated to a Telegram channel, or delivered through screenshots to a pre-determined C2 server. 

The researchers don’t know exactly who is behind this campaign, as Rilide is a commodity malware, being sold on hacker forums, and most likely used in different campaigns. In this particular instance, the attackers generated more than 1,500 phishing pages (with typosquatted domains) and promoted them via SEO poisoning on trusted search engines. They also impersonated banks and service providers to get the victims to type in their login details. 

Twitter is also being abused for the campaign, luring people to phishing websites for fraudulent play-to-earn blockchain games.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.