New Rilide Stealer Version Targets Banking Data And Works Around Google Chrome Manifest V3
Category

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.

While sharing similarities with its predecessor, which was discovered by SpiderLabs and described in our previous blog, it exhibits a higher level of sophistication through modular design, code obfuscation, adaptation to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures. 

 We have identified campaigns in the wild which we will examine in detail:

  • The first Rilide campaign seems to target corporate users through the use of a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin.
  • The second campaign advertises fake P2E (Play To Earn) games using Twitter. A beta installer was found dropping Rilide and Redline Stealer.
  • A third campaign from the last few days focuses on banking data of users in Australia and the UK, employing a unique method for loading extensions. Interestingly, we found that crypto token phishing sites from that campaign exclusively employed AngelDrainer scripts to steal cryptocurrencies from unsuspecting users’ wallets. Further analysis revealed Twitter as a prominent distribution channel for these malicious activities.

During the investigation of Rilide’s related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like BumbleBee, IceID, or Phorpiex.

Updates in the New Version of Rilide

As does its predecessor, the new Rilide stealer enables threat actors to carry out a broad spectrum of malicious activities, including enabling or disabling other browser extensions, retrieving browsing history and cookies, stealing login credentials, taking on demand screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

The biggest change is adoption to the Chrome Extension Manifest V3, described in the next section. This change required the complete refactor of the Rilide stealer’s main capabilities. The updated version of Rilide stealer malware was first observed by Trellix and tracked as ‘CookieGenesis’ in their report.

The commands configured in the Rilide extension packages observed are similar to those identified by Trellix, but the functionality has been extended with a new command called ‘screenshot_rules’ . This lets the attacker capture active tab screenshots for every time interval, according to predefined URL rules, allowing recording of sensitive data, such as credit card details entered during online transactions. Another interesting feature is the ability to exfiltrate stolen data to a Telegram channel.

20351_fe326b934381efd2400e7edc20986eca248fc0f1

Figure 1. Rilide Stealer plugin – Functionalities Adapted to Manifest V3

Below is the full set of Rilide commands that can be dispatched from the Command & Control server.

Plugin CommandFunctionality
extensionEnable or disable an extension from list of installed extensions.
infoSend system and browser information to the C2 server. Get all configuration settings.
pushCreates a notification with specified message, title, and icon. Upon clicking on the notification, new tab with URL from C2 server will be opened.
cookiesGet all browser cookies and send them to the C2 server.
screenshotCaptures the visible area of the currently active tab in current window.
urlCreate new tab with provided URL.
current_urlRetrieve URL from active tab.
historyGet browsing history from the last 30 days.
injectsRetrieves injection code to apply to specific URLs.
settingsRetrieves proxy, grabbers, and telegram settings configuration.
proxyEnable or disable proxy. Threat actors use proxy implementation from the ‘CursedChrome’’ tool allowing to browse the web authenticated as a victim.
screenshot_rulesUpdates list of rules for module grabbing screenshots  at specified time intervals. Module checks active tab url with a pattern provided in the rules.

Table 1.  All Rilide Stealer plugin commands.

Rilide’s Adaptation to Manifest V3

As per the Chrome documentation ‘an extension manifest gives the browser information about the extension, such as the most important files and the capabilities the extension might use‘. This information is stored in the JSON-formatted file called manifest.json and located in the extension’s root directory.

BSL_20329_fig2

Figure 2. Comparison of Rilide stealer manifest version V2 and V3

With the introduction of a Manifest V3 there are several features and functional changes for extensions compared to the previous version called Manifest V2.  With security in mind, one of the new major improvements is that extensions can’t load remote JavaScript code and execute arbitrary strings. Specifically, all logic must be included in the extension package thus allowing the more reliable and effective review process for the extensions submitted to the Chrome Web Store.

This is a big hit for the core functionality of Rilide, that relied on the injection of the remotely hosted scripts. The old approach leveraged in the previous version of Rilide does not work because it violates the minimum Content Security Policy applied for the extensions. It ensures that the extension will not run in-line JavaScript or be able to evaluate strings as executable code.

BSL_20330_fig3

Figure 3. Violation of Content Security Policy, while loading script using the approach used in old version of Rilide.

However as described in the Extensions Security FAQ, execution of a remote code in extensions is a policy change for the developers distributing through the Chrome Web Store and not enforced by the Chromium browser. While there were additional restrictions implemented with the release of Manifest V3, there are known ways to execute remotely hosted code that are not considered a security bug. Extensions leveraging such workarounds should be rejected during the review process when submitted to the Chrome Web Store.

BSL_20331_fig4

Figure 4. Paragraph from the Chromium Extensions Security FAQ confirming remotely hosted code execution in manifest V3.

The review processes are never 100% fault proof and Google is constantly removing malicious extensions from the Chrome Web Store. While threat actors may try to hide the parts of code responsible for the execution of remotely hosted code to pass the review process, this is not really an issue for Rilide, which is distributed via local loaders executed by unsuspecting users.

Developers of the Rilide malware used combination of few publicly disclosed techniques to achieve injection of a remotely hosted script.

The core of the functionality relies on use of inline events to execute malicious JavaScript code. This technique was described in a popular answer to the Stack Overflow topic around Chrome extensions content scripts.  Threat Actors used the exact code pattern shared in the answer.

BSL_20332_fig5

Figure 5 Stack Overflow answer detailing the code execution via inline events, as observed in the new Rilide version.

Source: https://stackoverflow.com/a/9517879

To overcome the Content Security Policy, the developers used the Declarative Net Requests rules to remove the CSP headers. It’s worth noting that the headers are still displayed in the Network tab of the Developer Tools in Chrome, which may mislead the user trying to analyze suspicious behavior.

Code Obfuscation

With the refactor of the code, developers of Rilide malware applied modular code structure with the core capabilities in the /src/functions folder. However, we can see the similarities in naming conventions and C2 endpoints used by the malware.

BSL_20333_fig6

Figure 6. Old and new versions of Rilide configured to initialize bots via the /api/machine/init endpoint.

Threat Actors applied obfuscation of code to evade detection and make analysis more difficult. They used custom strings obfuscation algorithms to make the code harder to understand. In version 1.8.7 they used a simple list with actual strings that was later subjected to a custom algorithm performing shift operations to get the elements in the list in the right order. In the code instead of using plaintext strings, a call to the function returning a string from the list is used.

BSL_20334_fig7

Figure 7. Part of an obfuscated and deobfuscated routine to retrieve cookies values.

In the newest version the shifting algorithm got more complex. Strings were additionally encoded with a custom algorithm and RC4 encrypted.

In the Wild Campaigns

The Trustwave SpiderLabs team has identified numerous new campaigns leveraging Rilide malware.  Indicators of Compromise are present in the separate section at the end of this article. In the following section we present additional information on two interesting campaigns.

20335-d208b23a9a92088ad8601841948a1431bb63c9b0

Figure 8. Rilide Stealer Campaigns Identified in the wild

Rilide Imitating Palo Alto Network’s GlobalProtect App

Two of the identified in the wild samples were imitating Palo Alto’s Global Protect App. The extensions are configured to communicate with C2 domain edd2ed2[.]online.

We identified a PowerPoint presentation with a step-by-step guide on how to install the Rilide extension from this campaign. Threat Actors use social engineering techniques and security-oriented lures to persuade victims into installing the malicious extension.

BSL_20335_fig9

Figure 9. Phishing Presentation instructing users on how to install Rilide stealer disguised as GlobalProtect browser extension.

BSL_20336_fig10

Figure 10. Phishing Presentation instructing users on how to install Rilide stealer disguised as GlobalProtect browser extension

Threat Actors also leveraged Rilide’s integration of the CursedChrome tool, turning the attacker browsers into fully functional HTTP proxies, allowing the attacker to browse the web authenticated as a victim. The CursedChrome Admin Panel was also observed on the server.

BSL_20337_fig11

Figure 11. CursedChrome admin panel discovered on Rilide Stealer C2 server associated with fake GlobalProtect campaign

The SpiderLabs team has not determined the distribution system for this campaign. We assess that it might be still in development as of the time of this writing.

Imitation of a GlobalProtect app and additional materials prepared by threat actors suggests they may target corporate users, which differs from previously reported campaigns focused on stealing cryptocurrencies from regular users. The ability to additionally leverage tools like CursedChrome makes Rilide more interesting for the more advanced Threat Actors.

Figure 12. Rilide Stealer Extension Disguised as GlobalProtect

Rilide Targeting Twitter Users using Fake P2E (Play To Earn) Games

In this campaign threat actors advertise fake P2E (Play To Earn) games.  In such games players earn money by collecting NFTs and selling them for real money. Threat actors lured unsuspecting users also with airdrops of a small number of cryptocurrencies for the new users. The games are advertised on Twitter, with additional rewards for the users bringing in new players and retweeting the posts. To make the games more credible, the attackers created dedicated websites and Discord servers. Interestingly the “beta” access is not granted to everyone, but just to the selected individuals based on the Google Form answers. Users must share their Twitter handle and SOL wallets; it is unclear if this is done to add credibility or to pick the more prosperous targets. Upon execution the downloaded installer will drop Rilide and also Redline Stealer.

BSL_20340_fig14

Figure 13. Twitter and Discord channels leading to Phishing Website Hosting Rilide Stealer

Rilide Targeting Users in Australia and UK with New Loader Variant

The SpiderLabs Team identified multiple extensions communicating with the C2 domain extensionsupdate[.]com, that was configured to target users in Australia and UK. One of the modules in Rilide malware is a form grabber, responsible for exfiltrating data submitted into forms on specific pages. The configuration stored on the C2 server targeted multiple Australian banks and payment providers.

BSL_20339_fig13

Figure 14. Rilide C2 grabbers configuration

BanksPayment providersEmailCrypto exchangeVPN and Cloud providers
1710345

Table 2. Type of websites targeted by Rilide s grabber module as per C2 configuration.

Additionally, injection scripts configured on the server targeted domains of banks in the United Kingdom. However, those scripts were still in development as of time of this writing, but they indicate that threat actors may want to expand their targets to users located in the UK.

BSL_20341_fig15

Figure 15. URLs for which injection scripts were configured on the Rilide C2 server

BSL_20342_fig16

Figure 16. Injected Scripts targeting Banking Credentials of NAB AU and Barclays UK

Interestingly we identified a PowerShell loader installing extensions from this campaign with a new approach. In our previous blogpost we described a well-known technique of loading an extension via a –load-extension flag in Chromium based browsers. However, this technique does not install an extension permanently, when a browser is relaunched without this parameter the extension is not available. That’s why the threat actors had to modify the shortcut files for the browsers, to ensure that user will open it with necessary parameter. In the new approach threat actors install the extension permanently, the result is as if the user installed the unpacked extension from the browser GUI.

The new techniques leverage modification of a JSON structured file holding part of Chrome’s settings, Secure Preferences.  In particular, this file contains information on the installed extensions, like the extension path on disk and its permissions. To ensure that external applications other than the browser cannot modify this file, Chromium introduced a security mechanism based on HMAC hashing. This mechanism is undocumented, however it was already reversed and explained by researchers from Chalmers University of Technology in their paper. To generate a valid HMAC hash, the attackers require two additional values other than the settings itself, seed stored in the resources.apk file and SID identifier of the current.

BSL_20343_fig17

Figure 17. HMAC implementation in Chromium based browsers.

The hash values generated for single setting entries, like configuration of an extension, are called macs and stored in the Secure Preferences file to ensure their integrity. There is also a value called super_mac that is generated based on all other mac values to ensure the integrity of the entire file.

BSL_20344_fig18

Figure 18. Extension settings and corresponding HMAC hash in the Secure Preferences file.

Additionally for the changes to be valid, the attacker must add the registry subkey holding additional HMAC hash of the extension settings in the HKCU:SOFTWAREGoogleChromePreferenceMACs<Chrome_Profile>extensions.settings key. In case of this hash the seed value is not retrieved from the resources.apk file, but rather a hardcoded value of “ChromeRegistryHashStoreValidationSeed”. This was described in a post from 2019 on a Russian forum, where the author explored the installation of an extension via Secure Preferences modification.

BSL_20345_captureffds

Figure19. Part of the Rilide PowerShell loader leveraging new installation technique.

Pivoting on the Campaign IOCs

The loader described in the previous section was downloading a malicious Rilide extension from a Bitbucket repository. Judging by the number of extension downloads in the repository and the fact that the loader was not detected as malicious by any of the engines on the Virustotal platform as of the time of this writing, it seems that the new loading technique turned out to be a success for the threat actors. 

BSL_20319_fig20

Figure 20. Number of downloads of files stored in the Bitbucket repository.

Rilide C2 Infrastructure Hunt

The C2 Domain extensionsupdate[.]com used in the third campaign was registered using the NiceNIC.NET provider located in Hong Kong, China, and IP records pointed to a C2 server located in Moscow, Russia. Technical WHOIS details for the C2 domain were redacted for privacy, the registrant organization was not. The registrant organization, ‘Mihail Kolesnikov’ was associated with over 1200 other websites, all of them registered between December 2022 and July 2023 using NiceNIC.NET. Several websites were found to be serving malware such as IceID, Bumblebee or Phorpiex.

BSL_20346_capturedsadsa

Figure 21. Rilide Stealer Infrastructure Pivot

Phorpiex Malware and 1337Team Limited Hosting

Two domains, eaougheofhuoaez[.]top and faugzeazdezgzgfm[.]top, were associated with IP addresses registered under the infamous ‘1337Team Limited’ a bulletproof hosting provider registered in Seychelles known for hosting various malicious campaigns. Our investigation revealed that these two domains were serving a ‘Twizt’ variant of Phorpiex, which features a cryptocurrency clipboard hijacking capability supporting more than 30 wallets for different blockchains.

BSL_20320_fig22

Figure 22. View at the reconstructed Phorpiex sample code and clipboard hijacking routine

Phishing Campaigns using Twitter, Typo Squatting and SEO Poisoning

During our investigation of the infrastructure and thorough analysis of the domains registered by the threat actors, we uncovered multiple phishing websites that were deceiving users through the use of typo squatting and SEO poisoning techniques. We also came across numerous phishing websites serving legitimate AnyDesk software. This finding sparked intriguing connections when we correlated it with the Rilide referral codes found in configuration files. We uncovered a few campaigns labeled as ‘Calls’, suggesting that the attackers might be utilizing sociotechnical tactics, including actual calls to the victims. These calls could be used to guide the victims into accessing the phishing websites and provide instructions on how to run AnyDesk. Subsequently, the attackers may proceed to install Rilide extensions or possibly other types of malware. However, we can only speculate about the potential correlation at this point.

BSL_20321_fig23

Figure 23. Phishing Website Serving Rilide Stealer.

BSL_20322_fig24

Figure 24. Rilide related phishing website imitating hsbc bank, serving legitimate anydesk software.

We have discovered numerous phishing websites being promoted on Twitter as genuine cryptocurrency airdrops. Most of these websites were found to be utilizing the AngelDrainer crypto stealer script to siphon funds from connected wallets. Interestingly, the freshly established pages lacked any configuration keys, whereas the older ones employed the same key, leading us to believe they were associated with the primary attacker advertising as AngelDrainer on underground forums. Furthermore, during our investigation, we found that several website templates used in these attacks were copied using UrbanVPN.

BSL_20323_fig25

Figure 25. Twitter posts leading to phishing websites containing angel drainer.

BSL_20324_fig26

Figure 26. The attacker used UrbanVPN as proxy while copying legitimate websites to create phishing templates.

BSL_20325_fig27

Figure 27. Angel drainer crypto stealer advertised on one of the underground forums.

Rilide sold on the Underground Forums

The Trustwave SpiderLabs team identified an actor with the nickname ‘friezer’ selling the Rilide extension and control panel on the XSS and Exploit forums for $5000 (price was dropped to the $3000 during promotion period). The first listings for that product appeared on the forums at the end of January 2023. The actor stated in one of the comments that no one uploads the extension to the Chrome Store and all his clients use self-written droppers. Lack of a dropper bundled together with the extension explains the number and variety of droppers observed in the wild.

The threat actor got into trouble in April, having arbitrage cases opened against him (part of an underground court like system) on both XSS and Exploit forums. One of such cases effectively led to his ban on the Exploit forum. Notably in one of such cases opened by a dissatisfied customer, he made a comment in his defense. He stated that the product got burned by the antivirus solutions on April 5th and he is making fixes for it to work again. That explains the new versions of Rilide with obfuscation of increasing complexity.

In our previous blog we mentioned that source code of the Rilide extension was leaked on the underground forum. At the end of April, we observed another actor getting access to the source code of the control panel and leaking it online. It is possible that threat actors other than the original developer picked up the development of this malware family. 

BSL_20326_fig28

Figure 28. Rilide stealer control panel and grabbers view as advertised on xss forums

BSL_20326_fig28

Figure 29. Rilide stealer control panel and installed extensions list view as advertised on xss forums.

Hunting for Rilide with Permhash

With an effort to better hunt, cluster, and pivot on malicious APKs and browser extensions, the team at Mandiant created a new framework called Permhash. It creates a hash value based on permissions assigned to the browser extension or an APK. Permhash has been added to the Virustotal platform. In the IOCs section we’ve identified Permhashes for Rilide malware. The malware is under continuous development and the permissions vary between the samples; however, we found the Permhash to correctly cluster different versions of Rilide and help in finding additional samples.

BSL_20328_fig30

Figure 30. Permhash value of a Rilide sample on the Virustotal platform.

Indicators Of Compromise:

Rilide Stealer Extensions

File NameHash TypeHashes
crypto-extension.zipMD566e05bc7b8e8ccd31415e22272f03bd4
 SHA1173065e688b008e208d6ffd62ea2b5a15cf66552
 SHA25635451261a9864614aaeb43cd8bfb8d166a483baaa4477c6e119ebcffffa0ba31
crypto-extension.zipMD579f586fe64498205b1aab8ece4b2e944
 SHA1ea4d7f31e889585d1a2c77e2b2823a4ccbd765d2
 SHA2563978acf99393c9538dedc22f97eb247bbcfe0791acead7f6c96d1079479286fd
 MD5bb8315ba98e0cb251453d58cf2048f3b
 SHA18316ab2ee030c859d2952a0a0ee3fb8606b88816
 SHA256abae2f164e073e7aab2822b507de10e731cc1b396809728452e98be6618c149f
 MD59f806a3d233ffbbb58cf82c3e769d6a5
 SHA110d3d6bf88bead7180e84a2b7acf3abc60e14e81
 SHA2562aac1089998e5e88fbdf539408be53570a4ed64a989885d1003bf73c723eea1d
 MD5fd59031e1c35e5fb1ecbaff6c64a31e8
 SHA1e4aaef90c4284e923679e92e970396f7ef989087
 SHA2562b638291abc822a2bb5f94b196022cae4b064487a71a8e067f8d8a2fb3c7acc5
 MD54aa44852969f4c603bf9e8e3799d6984
 SHA1552b715702d8b4b0f035a92d5ab5bb1f0712ac32
 SHA256f2931eb819db38895ccc016a6b04b90bb1456931164f2b7e15f4bc0c95fbd997
 MD55a439a865ba82b35ef8eeacc1a778e0c
 SHA1a1456ea8696c755d1d2c4d1f27661f9388f805b9
 SHA256e39d0974b403b547b07282237f356061754375d1b70dacf731d8fa2add15d856
 MD5fc3afbea35d3844550af54a2506a5f64
 SHA1d85c34f3cd20d24fde93f0e60d677d2aa8c48591
 SHA25683fff7424342575d8ab6a9bd8eba71490e75a87ea825c8a84bb16945613467e1
 MD559e77f77b458eb0c390f90e2daa35504
 SHA1060ac379851786e61d081b1471ee15347185e56c
 SHA2560fd8a4468d7d5370d1f67b01badb2e7e1aacb3e6cf1689cab4f678cc7868f520
 MD5614ce2b5df0dd74d1bc5b0bde55edd53
 SHA152a1ee4060e13790501163c78d3475be90f05584
 SHA256aed0c82e40f51089ef8c08df53404d61a591db8f14f07a9ef38aeeef8f4e15a8
 MD5a906698ebe07eac71494052bb82cd3f2
 SHA1937e03c89c33bbd5c7727c3f8e00aecdf22afa7f
 SHA2560778c7e2ec2dde55d2e88f31168a52d8e78ce5348ccab82c8e6b2c0f3bb0b3eb
 MD5e879d0f7540ce7b3365c7f79a461ec98
 SHA1397a40a2f5047db13bf84bd7e6296c12dc317933
 SHA256d4ae1e54da50c3dbf7c201a42537f42fc307c5ce7700ad32aceb60f69ed7d779
 MD58080ad6ea6102d445ea16169a990cb5e
 SHA1dc7fa285da2034a00ed2c66cb86c37e1a4bbd679
 SHA256482b3ae10d6b70c1faf55a9b3abd14bdc1b198b18d089a0aea6aa6ac6fd7ace1
 MD5172f5c41250ef3e84579645e5b1a22bc
 SHA1ccbf7ed9d3c2b606b753359cb4b10caa2570a571
 SHA256ae5da62daf678fc0555f739c116f58fd26c5400257367dcd0f777997615a4b23
 MD5ae249d95c6ac779246b8eea93730801f
 SHA192a030999013b6835b39d2cce951fcb258107bc8
 SHA256cab8e0569f69efe0214dea05461cba63c3abb9c255f17e2ae48e904dfce500fd
 MD544cf3fe19f92cfac81d74ec366302104
 SHA1946ac4d655bc77624b912ad42431c8a692cac6a4
 SHA2566f68fdf8c77b6deb44427322f82a6476a631ec6e4cdb0b18421bf5a0c895435e
 MD58b008a8f776b57060b5ce42b6ea2b8f6
 SHA176fc50665aea80dca8844282804339b7351c3267
 SHA256a7e24ead72e9bd2d74be36c201e348d5c5aa29c1c0c4e972677ce12602a74158
 MD5ddddeb26f795fd7658720d5ae80a310d
 SHA1dd6e2e93d80d9b5df93e17e714aee41534f1158a
 SHA256dea7f22216fcd2a3355b231d57dec37164c85faf3e9279beae6cdb153051a48a
 MD5d2b07b0e4142bbcb1457d51e25da416d
 SHA12700d7a6c6f5abdea5972c9d5a67603216870af4
 SHA256a4ebe88f43d782b30fd83e1fb79b26674827cc03db4aeb77540243c303b51a6a
 MD547c7a9d2010c0f1d1c20fec47339451b
 SHA1f5a5d008a70e1c632d7cb72b2f255f3e500b43e4
 SHA256c23846b1ec00890c3fda2b600b29b2fb717de6fa54b8c9bebe825aa4e0a7f2cc
 MD57a60adb662556863752bd2ab1c25c727
 SHA1b27a56ee3262c4d87bae60c514ea7056a4ec7c6f
 SHA256e669e3509aa8d6a425b61e77993b23f832071ba2f7def373af57417f661eb431
 MD5adbc8e285c7657615b2ebee344390952
 SHA1f637104610e14e2260a792fd17775a83d2551a38
 SHA2567f0a71e2443cef0beaeea10a78fbbdb3a612be6c4be206acf7c13849d593fad7
 MD5fa3509f5adb6b3c8857194083af87edd
 SHA1cc7949e9587b7f64049ab5b9b3603eb831f47808
 SHA256ad32f29f994a9d4eeceb39afeaa2a1dbda4f17931668d64026c225c738518cfd
 MD5f8653cd2a1c7cea7509abd6cd52078b3
 SHA13197073f18ce0432691d61f09302f949d3283e0b
 SHA256ac4ae2bb49343ed24c2ae0d531cde04c3186dc4263a2352f2c2ac78812bb5c05
 MD5403dd2a2a6163c07710fabc08f71bec8
 SHA1b0c587068505fcbdb55d263dff03f3abbeeb0842
 SHA256008b7d803d8925c578168a2bd757dd4a0b26b32b2f810ce91e3f062e1ed5cd0c
 MD5678a0f6c5a0662b8f42fca2f6788e3c6
 SHA1dd4e7e8230e14685d73d142efb337e75cb2d3581
 SHA256b6043858d8b28b397ce364417a59167bb1afb32b5c8fcf0be428362af7952e27
 MD520d8abba528c323668911a7da1993336
 SHA1dd7f3feb98e4d84817a84a9fdfddaed3b2719303
 SHA256cca6dda21c62f2665eccdec2edff5e6dfa6260a217c02709b21b3e14670ca3b7
 MD5df7d7dc978275f8c85ab8408abc8df95
 SHA1cde2d4b70d374fca96951a13f056f778258aeb45
 SHA256718b9adb3cd2f68c41234870242e312cac6beb00444ed4e21dca5f21b6fbecb9
 MD5cfe9ec19dd3991c45c76493d9598141b
 SHA1a1b9fd0577f6cc0ff87010a651ff123b8285289c
 SHA25648346d8f46efca68f354f0833c3cfc9e8931d5b655ec434725fcdffb03069460
 MD50fb39568d9ba07e39f64d64510832a99
 SHA15174127b62bd3a1e983dd8a33e3efa5ec54471c8
 SHA256dfc0c60526e78d58f055ddace6cb91227958a0c5b413c88d00be175f084bd5da
 MD559998a5c7c0f31adc47f3d05333ff8cc
 SHA1f2348f98a71afcc241c6e3d5777b300e5602a4e5
 SHA2567dde5fe5377eaa43af2896f0aab7a6875ac88a34d0391c39d0979c3cf2861723
 MD5d504505d18408343a5f1225a0d0f3c1b
 SHA116f46139147f5f6dcd521840951860c299982587
 SHA256533576b2f435591fe51d0e09d479154fac13a6440c619085dc0a11ada0f69e12
 MD5367300209532298c12b8678a1699b6ff
 SHA13c6fcd01f513df3480930924bd82d2abdb19266a
 SHA256ba1d0a41bf1bfacf41e667857cbd24b9834631613de44124b95357cd5c7637c3
 MD5bda2f43f6a08de8e0d41aa704a796eb1
 SHA118ccba913df5b8867c6ef066f121fb8cd03a7518
 SHA256f6e81b0d239268ce0c9bb6ba7dbe09fb67ffa273a85fdfe656b14b5ea9a94568
 MD5c8805c7f4224c02b173f6beab132638c
 SHA1b3d59d7caab786cb92639a8c8bc17f73da26c788
 SHA256687e9fc52445b8045fccc308c30713395bdfba08dac83fc85355a5c94b2bbbde
 MD597a42807acd13205c1a2937850416439
 SHA1a468269647f3b9909f4df27b74711d56adaf87a4
 SHA2561c1a8d502871dbf22b404b6825b5219344a3d89ebb5da88380ba1ca158e2d92b
 MD5f1f97bcec87f298f3f533fbcb0de034e
 SHA1a25fccb0455f8e9d3751f5127dd6867aecb58b45
 SHA2565f6e10bdfe78f855105843c67ff6ec69801caba328a8b1681425b06e359f888c

 

Rilide C2 Domains

frz-panel[.]su
lsadksajpenal[.]su
edd2ed2[.]online
proyectopatentadomxapostol[.]com
assets[.]bnbcoinstatic[.]com
tes123123t[.]com
web-lox[.]com
pupkalazalupka[.]com
extension-login[.]com
io-web[.]cc
ext-panel[.]website
extensionsupdate[.]com
blackfox[.]lol
silent-scale[.]com
getvoyagebox[.]org

 

Rilide Permhashes

8caaafe787c9e3d59486ec129b4259764641999b0f1de6b5b46d3773e96442c8
6e9c56301605aeeb0efcbbfbf10008dba7a8b99963f02256d1b28fbc30df7907
3aa913da9591d998a229acec529eb58b1fea14b403b92f56dde47a8425739473

 

Rilide Loaders

File NameHash TypeHashes
main8.ps1MD523fc39223b0225998a70a3cb2e05ad4b
SHA169fb5b178f369beaac85f02791fd8f85facdd20b
SHA256aa76e48528f473b171b98bfc4d4e4d839a98c255e78382dc6f020e36ed00ea5b
main8v2.ps1MD57ca9216d43d51507d326a72c4d27056e
SHA1e3476f4fb588b23bdd625bdc75a98a16d1acb4bd
SHA256abe1c395c9db7df35611caf30fff0a18f23726505b2b51e4dce6547896ee6f76
main9.ps1MD5ced4052c3d3d32e21df075d68b5a4494
SHA1cba87daff1cf961fe941489cfcc80f074f8d49ed
SHA256d755c580cc88b6a5028e843aeda3e3a50c8f025ef1dcf66027c0c1b671024d36
main8v3.ps1MD51de4b5ff5035d3df6ab27d12c83b18f5
SHA1aa7929ba89295c732398c63a574a49f035b9ca52
SHA256dfff032e311776b3d62f70856a6d29ca8267beee614f756301b7f891c6325485
dropper.exeMD5bc9472ab59a9625003190b2dfcd1c502
SHA1ddb5e3e03655fa8dd8690aeb81db00da84bd2c8b
SHA2567465e22c5544ff885472e36dd60beec5039c68c4728d804fea240bc36e8f6794
chrome.exeMD55e8d7b2ea9c184a5a88edd0e507571ed
SHA1027268c51892ca07c36b66ae31dbe33c2afeb789
SHA25645d03f5d809664844d569d35431a147885d201ca151bda9bf66f282daec025a6
out_5.binMD563e9249d7950ca2e03c40a64a76a3951
SHA129dd8609c74cc54d60bab53c6e83a3cb641f8b4a
SHA25614405eee6b03c4de6fba6b68768a943120c092280e0763ee2672b7ffdf9358bc
new_out.binMD51c683f7e8ede935de16fe1af8d920b4e
SHA1ace802a22a69b2d6fe305d407212c0919671f81a
SHA2561ac5e7036f862b8d2a951b1be262b498f0c9213d4d2f500e9c5f06ac8e8179b2
yoo.ps1MD5a404c8f69888159b85aa2b069f0d0f90
SHA170cae8f5f2d6573510f5f4400a8baba89e5bcd2f
SHA256461773a67e1a6228d0a8d02a45da72fc94ce0df97cd99aef33dcbf859d306a11
Injector.exeMD57ba207ff437a0df9b5a05a01c0d548b9
SHA12c98abcaea10d3abd307c68cbf95f3e4af40ec04
SHA256e8a791965f8534b33736a0786ebeb0975002f3a03c31aefe2e4a64a1d4c70a34
MD5b4867df506f38736c0f6ce56decad080
SHA1d033569c97f382b21ce83439dae0cab5bd28e135
SHA25654920cdfbc9403da38058b90bfb19a1af5caff2ca4584209d13e0f90b64c3b2c
virus_exe.exeMD5f5dc1259e5300b8d4711ca7bf51c6e9f
SHA192d4921b1fc15ae389a59b5df90614d7926f95e9
SHA2566aa388c50c8c184901db02eae71b1ec3d9e0ab9e636d22419f64a83c8b2c94b0
ChatGPT.exeMD589d7bf4d70efaeb4e63eddd179df9829
SHA1c84a3774eea3c7c3069964fff500eb498a3e3fa0
SHA256e89971bfb8375d748cc233157537856c5598fcd513ed42e862261a99843f40d0
Riot Revelry 1.0.2.exeMD54a0e5fee91b361a09cd9d70e5f6ffb3d
SHA13976d181a1bdeaca94c072d672ee90750865ee96
SHA2566a83ee64b323082bf8827deb6297d4d3895f346ff83e9d9d4d125e976df5e503
Night Predators 1.0.2.exeMD50f8c7037ba4cf9736a5ac22cde94b7ed
SHA1018caa6adbd983fd2e2ba46670196a41669b4cef
SHA2561f62a8dc5e71b2826d0fe70588c4c4cbebb9518d3f1125807e6e6927b359458a

 

Rilide Loaders ITW URLs

https://download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/Riot Revelry 1.0.2.exeFake P2E games installers
https://download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/Night Predators 1.0.2.exe

 

Fake P2E Games Domains

nightpredators[.]com
riotrevelry[.]com

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/