Watch out - that PowerPoint link could be Chrome malware

Hackers are coming up with new ways to distribute malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Trustwave Spiderlabs have discovered an updated version of the infamous Rilide Stealer, a maliciousGoogle Chromeextension capable of stealing people’s login credentials, banking accounts, and cryptocurrencies stored in wallet add-ons.

The extension works on Chromium-basedbrowsers, including Chrome, Edge, Brave, and Opera. While malicious extensions are nothing new, the distribution method for this particular version is somewhat original.

According to the researchers’ report, the threat actors were distributing phishing emails, impersonatingVPNproducts andfirewallservice providers, such as Palo Alto’s GlobalProtect App. In the emails, they’d warn the recipients of a cyber-threat lurking in the wild and offer guidance, through a PowerPoint presentation, on how to install the legitimate extension and thus ensure the safety of their endpoints. However, the links provided in the PP presentation lead straight to the malware.

Bypassing Chrome Extension Manifest V3

If the victims fall for the trick and install Rilide, themalwaretargets multiple banks, payment providers, email service providers, cryptocurrency exchange platforms, VPNs, and cloud service providers, BleepingComputer reports. The malware works by using injection scripts and focuses mostly on targets living in Australia and the United Kingdom.

The new version of the malware is also interesting because it successfully bypasses Chrome Extension Manifest V3 -Google’s newly introduced extension restrictions that were supposed to protect users from malicious add-ons.

The stolen data is then exfiltrated to a Telegram channel, or delivered through screenshots to a pre-determined C2 server.

The researchers don’t know exactly who is behind this campaign, as Rilide is a commodity malware, being sold on hacker forums, and most likely used in different campaigns. In this particular instance, the attackers generated more than 1,500 phishing pages (with typosquatted domains) and promoted them viaSEOpoisoning on trusted search engines. They also impersonated banks and service providers to get the victims to type in their login details.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Twitter is also being abused for the campaign, luring people to phishing websites for fraudulent play-to-earn blockchain games.

ViaBleepingComputer

More from TechRadar Pro

Emergency Google Chrome update fixes nasty security bug>Google Chrome 100 update may break your website - but there’s a fix>Check out the best endpoint protection tools

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

VIPRE Security Group says its new endpoint protection tools can stamp out even the latest cybersecurity threats

This new phishing strategy utilizes GitHub comments to distribute malware

Adobe’s decision to eliminate perpetual licensing for its Elements software has stirred controversy among consumers