The way the Rilide malware uses browser extensions to launch attacks:
What is Rilide?
Rilide is an advanced form of malware that was initially identified in 2023 and goes by a synonym LumaC2 and CookieGenesis. It is intended to target browsers running Chromium to take control of user behavior and steal private information. One of Rilide’s primary features is the way it operates, which involves abusing its browser extension component to carry out assaults.
The Shift to Browser Extension Attacks
Rilide’s appearance indicates a dramatic change in the threat environment. Man-in-the-browser attacks were traditionally carried out by malware that looked for particular HTML patterns in the browser’s memory and then inserted <script> tags straight into a web page’s in-memory content. Because browser security measures restricted the injected scripts, these conventional techniques have drawbacks. They followed the same-origin policy, ran in a sandbox, and were managed according to the lifecycle of the page they were injected into. For instance, they would cease running as soon as the page was closed and were unable to access cookies or resources from other sources.
On the other hand, most of these restrictions are circumvented by contemporary attacks that use malicious browser extensions, such as Rilide. Extensions can run constantly in the background because they don’t depend on any one webpage. Additionally, they have higher rights that allow them to access browser-wide resources like cookies and local storage, as well as get around same-origin limitations. Extensions offer a degree of persistence and control well beyond that of conventional web injection techniques because they continue to function even when no pages are open.
Additionally, extensions alter the JavaScript execution context in ways that are harmful. Conventional injections might have left observable evidence because they operated in the same environment as the security tools and web application code. In addition to the main page context, extensions have created two new JavaScript environments:
- Although it is largely separate from the main page environment, the content script context has access to the page document.
- As a service worker, the background code context is inaccessible to the main page environment or content script.
Through specified browser interfaces that are hidden from the page’s creators, communication takes place between these contexts. If no changes are made to the original document, detection will be more challenging because a large portion of the extension’s activity and evidence are segregated by design. This transition to extension-based attacks was probably unavoidable in the growth of browser threats because of the enhanced control, persistence, evasion capabilities, and ease of construction that extensions offer. The broad built-in functionality and permissions provided by contemporary browser APIs also make developing browser extensions simple.
Rilide’s Approach: Making Use of Extension Elements
To make its attacks easier, Rilide makes use of a number of browser extension components:
The Manifest Document:
Outlining the functionality and access levels of the extension, this is an essential part. One Rilide variation that was examined pretended to be a Google Drive plugin. By enumerating the necessary rights, the manifest file offers the first hints to comprehending Rilide’s capabilities. Rilide has asked for the following crucial permissions:
- “Scripting”: Enables web pages to have JavaScript code injected and run.
- “Cookies”: Allows you to view, edit, or remove browser cookies.
- “WebRequest”: Monitoring and altering the browser’s network requests.
- “ClipboardRead/Write”: Reading and editing content from a user’s clipboard.
- “ActiveTab”: Provides temporary access to the tab’s content. Any scheme, domain, path, and port that the browser supports can be accessed and interacted with by the extension with the “host_permission” setting.
Content scripts start relatively early in the page loading process because they are set up to run on all URLs at document_start. In order for Rilide to get around security measures and insert inline material, the manifest additionally sets rules under “declarative_net_request” to eliminate certain material Security Policy (CSP) headers. The extension’s service worker, where the malware keeps track of browser events and interacts with the C2 server, is configured under the “background” section.
Background.js, the background script:
When the extension is installed, the initialisation code in this script is executed. Chrome.system methods are used to retrieve device information (CPU, storage), chrome.management is used to retrieve installed extension data, and chrome.cookies.getAll is used to retrieve all cookies during initialisation. A distinct ID is created and stored locally. The C2 server receives this gathered data, and the response may allow the extension to function as a proxy.
During initialisation, commands, virus settings, and injections are also fetched. After turning on the CSP removal rules, the background script starts tracking browser events. A novel technique for gathering C2 server domains is also included in the background script. It retrieves them from a Telegram bot by making recurring calls using Google Chrome alarms. This makes it simple for the infection to change domains in the event that one is found and blocked.
The background script transfers this data exfiltration to the C2 server after listening for messages from the content script, including “new-grabber-info,” which contain input element values. In order to use chrome.tabs.captureVisibleTab to capture the visible tab and transmit the screenshot data to the C2, it additionally listens for “set-screenshot-result” signals. Frequent alarms are configured to verify and start proxy connections, as well as to get and execute commands from the C2.
The cmds.js command script:
Receiving arguments and commands from the C2 server and returning the results are handled by this script. Among the intriguing commands found are:
- “Extension”: Allows an extension based on a specified ID.
- “Push”: When clicked, it opens a new tab and creates a browser notice with the content that was fetched.
- “Screenshot”: Takes a picture of the tab’s visible content.
- The “History” function retrieves browsing history.
- “Cookies”: Retrieves every cookie in the browser.
- “URL”: Uses a given URL to open a new tab. Additional instructions enable retrieving device information, the current URL, and modifying extension configuration. By using built-in Chrome extension features and enabling dynamic workflow adjustments, these commands make development easier for attackers.
Gmail.js and main.js are content scripts:
These scripts communicate with web pages directly.
main.js:
This script starts with obfuscated harmful code and the jQuery library. If the current URL matches, it executes injections from the service worker that was downloaded at initialisation. To make detection challenging, it uses a clever injection technique that uses the onreset document attribute to trigger a custom reset event right away. Additionally, main.js uses jQuery to create a generic data stealer listener that selects every input element. When the value changes and the element loses focus, it listens for the change event on certain elements and gathers input values (such as usernames or passwords). Chrome.runtime.sendMessage is used to send this stolen data to the service worker, who subsequently forwards it to the C2 servers.
Gmail.js:
The Gmail mail client page (mail.google) is the specific target of this script. Its main objective is to use 2FA authentication request manipulation to conceal cryptocurrency theft. The script looks for emails from well-known cryptocurrency wallets on a regular basis. It looks for elements that contain the phrase “Withdrawal Request” in emails and substitutes “Authorise New Device” if it finds one. Additionally, it targets span elements that include “withdrawal” to replace the email preview content.
The script looks for particular CSS classes and content to determine the email body and authorisation code. Lastly, the script replaces the email body’s HTML content with hardcoded text. In order to enable the threat actor to withdraw cryptocurrency without informing the user of withdrawals, this technique attempts to make victims view withdrawal requests as less suspicious new device authorisations. Because it relies on certain formatting and language, the technique for detecting items within the email body is deemed potentially unstable.
Proxy Capability
Rilide’s capacity to turn the victim’s browser into an HTTP proxy is one of its most notable features, which can be easily applied using extensions. This feature enables the attacker to use the victim’s credentials and data to route all requests. This is especially risky for financial fraud since hackers might use the victim’s authenticated session to access financial platforms, possibly starting transactions or changing settings without triggering additional authentication checks like IP address verification.
The majority of the proxy functionality was lifted from the educational proof-of-concept project CursedChrome. It operates by establishing a WebSocket connection between the attacker’s C2 server and the extension’s service worker. The victim’s obtained cookies are used to carry out commands from the C2, such as navigating or sending requests, and the C2 receives the results. Projects like CursedChrome even offer backend code and administrative UI, demonstrating the ease.
Indicators and Scale The magnitude of the issue is demonstrated by the Trusteer research lab’s detection of approximately 50,000 compromised user sessions since early 2025. As part of its ongoing global effort, Rilide is hitting countries in North America, South America, Europe, and Japan.
It offers a number of compromise signs, such as filenames and hashes:
- Files: ico.png, crrule.js, exts.js, rules.json, manifest.json, utils.js, historytab.js, notif.js, config.js, and content-scriptsApp.html, background.js, main.js, gmail.js, csp.js, exchangeSettings.js, screen.js, domain.js, inj.js, set.js, proxing.js, cmds.js, machine.js, and -register-polyfill.4.0.0.js.
- The extFiles.zip zip file.
- Statbrwsr.digital is a domain.
In conclusion, Rilide is an advanced piece of malware that uses browser extensions’ potent capabilities to obtain long-term control, access private information, get around security measures, and carry out tasks like financial fraud and cryptocurrency theft more covertly than previous web injection techniques.