Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chromium Browser. Show all posts

Rilide Malware: Hackers Use Malicious Browser Extension to Bypass 2FA and Steal Crypto


Trustwave SpiderLabs security researchers have recently discovered a new malicious browser extension, named Rilide, targeting Chromium-based browsers like Google Chrome, Brave, Opera, and Microsoft Edge. 

The malicious activities include monitoring browsing history, taking screenshots and stealing cryptocurrency through scripts injected into websites. Rilide impersonated benign Google Drive extensions to remain undetected while abusing built-in Chrome features. 

The cybersecurity company also found another operation that loaded the extension using a Rust loader by leveraging Google Ads and the Aurora Stealer. 

While the origin of the malware is still unknown, Trustwave reports that it shares similarities with extensions that are sold to cybercriminals. In addition, due to a dispute between hackers over an unsolved payment, some of its code was recently disclosed on a dark web forum. 

Hijacking Chromium-based Browsers 

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system. When the malware is executed, a script attaches a listener to monitor when the victim switches tabs, receives web content, or finishes loading a page. It also monitors if the current site matches a list of targets available from the command control (C2) server. 

If there is a match, the extension loads extra scripts that are injected into the webpage to steal the victim's cryptocurrency and email login information, among other details. Additionally, the extension disables the browser's "Content Security Policy," a security measure intended to guard against cross-site scripting (XSS) attacks to freely load external resources, usually restricted by the browser. 

Bypassing Two-factor Authentication 

Another interesting attribute of Rilide is its 2FA-bypassing system, used in producing bogus dialogs to lure victims into entering their temporary codes. The system is triggered once the victim has submitted a request for a cryptocurrency withdrawal to one of the exchange services that Rilide targets. 

Right when the script needs to be injected into the background to process the request automatically, malware enters the picture. Once the user has entered the code on the fake dialog, Rilide utilizes it to complete the withdrawal process to the hacker’s wallet address. 

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser[…]The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code,” the Trustwave report explains. 

This way, Rilide has highlighted the growing threat possessed by malicious browser extensions, which now include live monitoring and automated money-stealing systems. 

How can You Protect Yourself From Malicious Browser Extensions?

In regards to the issue, Trustwave SpiderLabs noted that Google enforcing Manifest V3 might aid in making it difficult for the threat actors to use malicious extensions to organize attacks. However, it would not solve the issue entirely as “most of the functionalities leveraged by Rilide will still be available,” the researchers added. 

In order to protect yourself, it has been advised to use the best antivirus software, that would help in preventing your system from getting infected or having your data compromised. Similarly, a good identity theft protection service can help restore your stolen identity or funds stolen by hackers. 

Moreover, when installing new browser extensions, one must only rely on using trusted sources such as Chrome Web Store or the Microsoft Edge Add-ons store.  

Microsoft Fixes Two Zero-Day Vulnerabilities on December Patch Tuesday

 

Microsoft has patched 48 new flaws in its products, including one that attackers are currently employing as well as one that has been made public but is not currently being actively used by attackers. 

In its final monthly security update of the year, the business addressed six vulnerabilities, six of which are significant. 43 vulnerabilities received a significant severity rating, while three problems received a moderate severity grade. 

The update from Microsoft fixes 23 vulnerabilities in Google's Chromium browser technology, which Microsoft's Edge browser is built on, as well as out-of-band CVEs that it fixed over the past month. 

Exploiting a security vulnerability 

CVE-2022-44698, the vulnerability that attackers are actively attempting to exploit, is not one of the more serious issues for which Microsoft today issued updates. The vulnerability enables attackers to get around Windows SmartScreen, a security feature that guards users against dangerous files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft explained. 

According to Kevin Breen, director of cyber-threat research at Immersive Labs, CVE-2022-44698 only poses minimal danger to enterprises. "It has to be used in partnership with an executable file or other malicious code like a document or script file. In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, Breen advises users to rapidly repair the problem and not undervalue the threat. 

Another vulnerability, is an elevation of privilege problem in the DirectX Graphics kernel, as defined by Microsoft as a publicly known zero-day but not yet being actively exploited. The company rated the vulnerability (CVE-2022-44710) as having an "important" degree of severity and one that, if abused, would provide an attacker system-level privilege. The business did note that attackers are less likely to take advantage of the weakness. 

Current vulnerabilities to patch 

Three additional severe vulnerabilities were identified by Trend Micro's ZDI in the December Patch Tuesday security update: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699. 

A spoofing flaw in Microsoft Outlook for Mac is CVE-2022-44713. Due to the flaw, an attacker might impersonate a trusted user and trick a victim into believing that an email was sent by one of them. 

ZDI's head of threat awareness Dustin Childs wrote in a blog post, "we don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice.” When coupled with the previously disclosed SmartScreen MoTW bypass issue that attackers are actively using, the vulnerability might prove particularly problematic. 

A PowerShell remote code execution (RCE) flaw known as CVE-2022-41076 enables an authenticated attacker to bypass the PowerShell Remoting Session Configuration and execute arbitrary commands on a vulnerable system, Microsoft added. 

Despite the fact that the attack complexity is considerable, the organization determined that the vulnerability is one that attackers are more likely to exploit. Organizations should be aware of the vulnerability, according to Childs, because it is the kind of issue that hackers frequently use to "live off the land" after getting initial access to a network. 

Uncertain bug count 

It's interesting to note that various manufacturers' opinions on the number of vulnerabilities that Microsoft patched this month varied. For example, ZDI estimated that Microsoft patched 52 vulnerabilities; Talos estimated 48; SANS estimated 74, and Action1 initially estimated 74 before reducing it to 52. 

The problem, according to Johannes Ullrich, dean of research at the SANS Technology Institute, has to do with the various methodologies used to count vulnerabilities. For instance, while some count Chromium vulnerabilities, others do not. 

Security advisories that occasionally accompany Microsoft upgrades are also listed by others, such as SANS, as vulnerabilities. Some researchers do not include the patches that Microsoft occasionally distributes throughout the month and included them in the next Patch Tuesday update. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third-party vendors," Breen added. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser." 

Since the last Patch Tuesday in November, 74 vulnerabilities, according to Breen, have been fixed. For the Edge browser, there are 51 from Microsoft and 23 from Google. "If we exclude both the out-of-band and Google Chromium [patches], 49 patches for vulnerabilities were released today," he concluded. 

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Malicious Actors Are Exploiting ‘App Mode’ in Chromium Browsers for Phishing Attacks

 

Thanks to a new phishing technique, malicious actors could siphon private details by merely impersonating legit login forms in Application Mode. 

The Application Mode feature can be accessed in all Chromium-based browsers, which includes Google Chrome, Microsoft Edge, and Brave. 

According to mr.d0x, a security researcher who has also unearthed the Browser-in-the-Browser (BitB) attack and Microsoft WebView2 phishing methods previously, desktop applications are normally harder to spoof, hence, victims don’t pay much attention to as compared to browser windows that are more widely exploited for phishing. 

Chrome's application mode is created to provide native-like experiences in a manner that causes the website to be launched in a separate browser window, while also showing the website's favicon and concealing the address bar. 

Additionally, the hacker-controlled malicious site can employ JavaScript to perform multiple operations, such as immediately closing the window when the victim inputs the credentials or resizing and positioning it to gain the desired result. 

It's worth noting that the methodology works on other operating systems as well, including macOS and Linux, making it a possible cross-platform threat. However, the effectiveness of the assault depends on the hacker gaining control over the computer before following up with this phishing technique, be it via malware or through directing the victim to enable it and run a Windows shortcut with the malicious URL. 

Meanwhile, Google is discontinuing support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies, and the feature is likely to be completely phased out in Chrome 109 or later on Windows, macOS, and Linux. 

"The --app feature was deprecated before this research was published, and we are taking its potential for abuse into account as we consider its future. Users should be aware that running any file provided by an attacker is dangerous. Google's Safe Browsing helps protect against unsafe files and websites,” Google stated.

“While Safe Browsing is enabled by default in Chrome, users may want to enable Enhanced protection, which inspects the safety of your downloads to better warn you when a file may be dangerous. Enhanced protection can be found in Chrome Settings > Privacy and security > Security.We encourage the security research community to continue to report issues and vulnerabilities through our vulnerability rewards program: g.co/chrome/vrp."