Analysts spot a new virus that steals cryptocurrency

Security experts at Trustwave Spiderlabs have reported that strains of malware known as Rilide are targeting cryptocurrency exchange users' assets.

According to Trustwave Spiderlabs researchers, the malware, known as Rilide, disguises itself as a Google Drive extension and uses built-in Chrome features. The software monitors users' actions during transactions on cryptocurrency exchanges and secretly extracts funds from crypto wallets.

In addition to providing cybercriminals with the ability to track the transaction history of targeted victims, Rilide allows them to inject malicious scripts to steal funds from cryptocurrency exchanges.

One of the notable features of Rilide is the ability to replace the copied victim’s crypto wallet address from the clipboard with the attacker’s address.

«What makes this malware different is that it has an effective and rarely used ability to use fake dialogs to trick users into revealing their two-factor authentication and then withdraw cryptocurrencies in the background,» Trustwave researchers say.

Microsoft Publisher is one of the distribution channels for the Rilide strain identified by Trustwave. The malicious file was part of Ekipa RAT, a remote access trojan (RAT) designed for targeted attacks.

The second variant of the Rilide strain is Aurora Stealer, which was spotted by Trustwave in April 2022 as Malware-as-a-Service (MaaS). The malware is designed to collect data from multiple web browsers, cryptocurrency wallets, and local systems.

Recently, the attackers behind Aurora have been spotted spreading the malware using the Google Ads platform. In particular, campaigns imitating Team Viewer distributions were used to deploy Aurora.

It was also discovered that Aurora was distributed through a fake website that imitated the NVIDIA driver site. The downloaded sample was packaged with Themida, a well-known commercial executable file protector.

Trustwave experts warn crypto asset owners to be «vigilant and healthy skeptical» whenever events develop in an unconventional way or they receive unsolicited emails. Also, users should remember that «any content on the Internet is dangerous, even if it doesn’t seem so.»