Watch out - that PowerPoint link could be Chrome malware

News
By published

Hackers are coming up with new ways to distribute malware

Google Chrome
(Image credit: Shutterstock)
Jump to:

Cybersecurity researchers from Trustwave Spiderlabs have discovered an updated version of the infamous Rilide Stealer, a malicious Google Chrome extension capable of stealing people’s login credentials, banking accounts, and cryptocurrencies stored in wallet add-ons.

The extension works on Chromium-based browsers, including Chrome, Edge, Brave, and Opera. While malicious extensions are nothing new, the distribution method for this particular version is somewhat original.

According to the researchers’ report, the threat actors were distributing phishing emails, impersonating VPN products and firewall service providers, such as Palo Alto’s GlobalProtect App. In the emails, they’d warn the recipients of a cyber-threat lurking in the wild and offer guidance, through a PowerPoint presentation, on how to install the legitimate extension and thus ensure the safety of their endpoints. However, the links provided in the PP presentation lead straight to the malware.

Bypassing Chrome Extension Manifest V3

If the victims fall for the trick and install Rilide, the malware targets multiple banks, payment providers, email service providers, cryptocurrency exchange platforms, VPNs, and cloud service providers, BleepingComputer reports. The malware works by using injection scripts and focuses mostly on targets living in Australia and the United Kingdom. 

The new version of the malware is also interesting because it successfully bypasses Chrome Extension Manifest V3 - Google’s newly introduced extension restrictions that were supposed to protect users from malicious add-ons.

Ransomware

(Image credit: Shutterstock)

The stolen data is then exfiltrated to a Telegram channel, or delivered through screenshots to a pre-determined C2 server. 

The researchers don’t know exactly who is behind this campaign, as Rilide is a commodity malware, being sold on hacker forums, and most likely used in different campaigns. In this particular instance, the attackers generated more than 1,500 phishing pages (with typosquatted domains) and promoted them via SEO poisoning on trusted search engines. They also impersonated banks and service providers to get the victims to type in their login details. 

Twitter is also being abused for the campaign, luring people to phishing websites for fraudulent play-to-earn blockchain games.

Via BleepingComputer

More from TechRadar Pro

> Emergency Google Chrome update fixes nasty security bug

> Google Chrome 100 update may break your website - but there's a fix

> Check out the best endpoint protection tools

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Google Chrome extensions targeted by hackers to steal user passwords
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Latest in Pro
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Nintendo Switch 2
The Nintendo Switch 2 pre-order date has seemingly been confirmed by Best Buy Canada – here's when you'll be able to order yours
More about pro
Isometric demonstrating multi-factor authentication using a mobile device.

NCSC gets influencers to sing the praises of 2FA
Businessman holding a magnifier and searching for a hacker within a business team.

Cloud streaming hoster StreamElements confirms data breach following attack
David Kampf #64 of the Toronto Maple Leafs warms-up before playing the Philadelphia Flyers at the Scotiabank Arena on March 25, 2025 in Toronto, Ontario, Canada.

ChatGPT and Gemini Deep Research helped me choose an NHL team to support, and now I'm obsessed with ice hockey
See more latest
Most Popular
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
The cast of Black Mirror season 7
Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 28 (game #1159)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 28 (game #390)