SpiderLabs Blog

New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3

Written by Pawel Knapczyk, Wojciech Cieslak | Aug 3, 2023 10:38:00 AM

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.

While sharing similarities with its predecessor, which was discovered by SpiderLabs and described in our previous blog, it exhibits a higher level of sophistication through modular design, code obfuscation, adaptation to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures. 

 We have identified campaigns in the wild which we will examine in detail:

  • The first Rilide campaign seems to target corporate users through the use of a PowerPoint phishing lure and a fake Palo Alto GlobalProtect plugin.
  • The second campaign advertises fake P2E (Play To Earn) games using Twitter. A beta installer was found dropping Rilide and Redline Stealer.
  • A third campaign from the last few days focuses on banking data of users in Australia and the UK, employing a unique method for loading extensions. Interestingly, we found that crypto token phishing sites from that campaign exclusively employed AngelDrainer scripts to steal cryptocurrencies from unsuspecting users' wallets. Further analysis revealed Twitter as a prominent distribution channel for these malicious activities.

During the investigation of Rilide's related domains and associated IP addresses, we discovered over 1,300 phishing websites impersonating various entities, including banks, government services, software companies, delivery services, and crypto token airdrops. Among these websites, several were found to be distributing harmful malware like BumbleBee, IceID, or Phorpiex.

Updates in the New Version of Rilide

As does its predecessor, the new Rilide stealer enables threat actors to carry out a broad spectrum of malicious activities, including enabling or disabling other browser extensions, retrieving browsing history and cookies, stealing login credentials, taking on demand screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

The biggest change is adoption to the Chrome Extension Manifest V3, described in the next section. This change required the complete refactor of the Rilide stealer’s main capabilities. The updated version of Rilide stealer malware was first observed by Trellix and tracked as ‘CookieGenesis’ in their report.

The commands configured in the Rilide extension packages observed are similar to those identified by Trellix, but the functionality has been extended with a new command called ‘screenshot_rules’ . This lets the attacker capture active tab screenshots for every time interval, according to predefined URL rules, allowing recording of sensitive data, such as credit card details entered during online transactions. Another interesting feature is the ability to exfiltrate stolen data to a Telegram channel.

Figure 1. Rilide Stealer plugin - Functionalities Adapted to Manifest V3

Below is the full set of Rilide commands that can be dispatched from the Command & Control server.

Plugin Command Functionality
extension Enable or disable an extension from list of installed extensions.
info Send system and browser information to the C2 server. Get all configuration settings.
push Creates a notification with specified message, title, and icon. Upon clicking on the notification, new tab with URL from C2 server will be opened.
cookies Get all browser cookies and send them to the C2 server.
screenshot Captures the visible area of the currently active tab in current window.
url Create new tab with provided URL.
current_url Retrieve URL from active tab.
history Get browsing history from the last 30 days.
injects Retrieves injection code to apply to specific URLs.
settings Retrieves proxy, grabbers, and telegram settings configuration.
proxy Enable or disable proxy. Threat actors use proxy implementation from the ‘CursedChrome’’ tool allowing to browse the web authenticated as a victim.
screenshot_rules Updates list of rules for module grabbing screenshots  at specified time intervals. Module checks active tab url with a pattern provided in the rules.

Table 1.  All Rilide Stealer plugin commands.

Rilide’s Adaptation to Manifest V3

As per the Chrome documentation ‘an extension manifest gives the browser information about the extension, such as the most important files and the capabilities the extension might use‘. This information is stored in the JSON-formatted file called manifest.json and located in the extension’s root directory.

Figure 2. Comparison of Rilide stealer manifest version V2 and V3

With the introduction of a Manifest V3 there are several features and functional changes for extensions compared to the previous version called Manifest V2.  With security in mind, one of the new major improvements is that extensions can’t load remote JavaScript code and execute arbitrary strings. Specifically, all logic must be included in the extension package thus allowing the more reliable and effective review process for the extensions submitted to the Chrome Web Store.

This is a big hit for the core functionality of Rilide, that relied on the injection of the remotely hosted scripts. The old approach leveraged in the previous version of Rilide does not work because it violates the minimum Content Security Policy applied for the extensions. It ensures that the extension will not run in-line JavaScript or be able to evaluate strings as executable code.

Figure 3. Violation of Content Security Policy, while loading script using the approach used in old version of Rilide.

However as described in the Extensions Security FAQ, execution of a remote code in extensions is a policy change for the developers distributing through the Chrome Web Store and not enforced by the Chromium browser. While there were additional restrictions implemented with the release of Manifest V3, there are known ways to execute remotely hosted code that are not considered a security bug. Extensions leveraging such workarounds should be rejected during the review process when submitted to the Chrome Web Store.

Figure 4. Paragraph from the Chromium Extensions Security FAQ confirming remotely hosted code execution in manifest V3.

The review processes are never 100% fault proof and Google is constantly removing malicious extensions from the Chrome Web Store. While threat actors may try to hide the parts of code responsible for the execution of remotely hosted code to pass the review process, this is not really an issue for Rilide, which is distributed via local loaders executed by unsuspecting users.

Developers of the Rilide malware used combination of few publicly disclosed techniques to achieve injection of a remotely hosted script.

The core of the functionality relies on use of inline events to execute malicious JavaScript code. This technique was described in a popular answer to the Stack Overflow topic around Chrome extensions content scripts.  Threat Actors used the exact code pattern shared in the answer.

Figure 5 Stack Overflow answer detailing the code execution via inline events, as observed in the new Rilide version.

Source: https://stackoverflow.com/a/9517879

To overcome the Content Security Policy, the developers used the Declarative Net Requests rules to remove the CSP headers. It’s worth noting that the headers are still displayed in the Network tab of the Developer Tools in Chrome, which may mislead the user trying to analyze suspicious behavior.

Code Obfuscation

With the refactor of the code, developers of Rilide malware applied modular code structure with the core capabilities in the /src/functions folder. However, we can see the similarities in naming conventions and C2 endpoints used by the malware.

Figure 6. Old and new versions of Rilide configured to initialize bots via the /api/machine/init endpoint.

Threat Actors applied obfuscation of code to evade detection and make analysis more difficult. They used custom strings obfuscation algorithms to make the code harder to understand. In version 1.8.7 they used a simple list with actual strings that was later subjected to a custom algorithm performing shift operations to get the elements in the list in the right order. In the code instead of using plaintext strings, a call to the function returning a string from the list is used.

Figure 7. Part of an obfuscated and deobfuscated routine to retrieve cookies values.

In the newest version the shifting algorithm got more complex. Strings were additionally encoded with a custom algorithm and RC4 encrypted.

In the Wild Campaigns

The Trustwave SpiderLabs team has identified numerous new campaigns leveraging Rilide malware.  Indicators of Compromise are present in the separate section at the end of this article. In the following section we present additional information on two interesting campaigns.

Figure 8. Rilide Stealer Campaigns Identified in the wild

Rilide Imitating Palo Alto Network’s GlobalProtect App

Two of the identified in the wild samples were imitating Palo Alto’s Global Protect App. The extensions are configured to communicate with C2 domain edd2ed2[.]online.

We identified a PowerPoint presentation with a step-by-step guide on how to install the Rilide extension from this campaign. Threat Actors use social engineering techniques and security-oriented lures to persuade victims into installing the malicious extension.

Figure 9. Phishing Presentation instructing users on how to install Rilide stealer disguised as GlobalProtect browser extension.

Figure 10. Phishing Presentation instructing users on how to install Rilide stealer disguised as GlobalProtect browser extension

Threat Actors also leveraged Rilide’s integration of the CursedChrome tool, turning the attacker browsers into fully functional HTTP proxies, allowing the attacker to browse the web authenticated as a victim. The CursedChrome Admin Panel was also observed on the server.

Figure 11. CursedChrome admin panel discovered on Rilide Stealer C2 server associated with fake GlobalProtect campaign

The SpiderLabs team has not determined the distribution system for this campaign. We assess that it might be still in development as of the time of this writing.

Imitation of a GlobalProtect app and additional materials prepared by threat actors suggests they may target corporate users, which differs from previously reported campaigns focused on stealing cryptocurrencies from regular users. The ability to additionally leverage tools like CursedChrome makes Rilide more interesting for the more advanced Threat Actors.

Figure 12. Rilide Stealer Extension Disguised as GlobalProtect

Rilide Targeting Twitter Users using Fake P2E (Play To Earn) Games

In this campaign threat actors advertise fake P2E (Play To Earn) games.  In such games players earn money by collecting NFTs and selling them for real money. Threat actors lured unsuspecting users also with airdrops of a small number of cryptocurrencies for the new users. The games are advertised on Twitter, with additional rewards for the users bringing in new players and retweeting the posts. To make the games more credible, the attackers created dedicated websites and Discord servers. Interestingly the “beta” access is not granted to everyone, but just to the selected individuals based on the Google Form answers. Users must share their Twitter handle and SOL wallets; it is unclear if this is done to add credibility or to pick the more prosperous targets. Upon execution the downloaded installer will drop Rilide and also Redline Stealer.

Figure 13. Twitter and Discord channels leading to Phishing Website Hosting Rilide Stealer

Rilide Targeting Users in Australia and UK with New Loader Variant

The SpiderLabs Team identified multiple extensions communicating with the C2 domain extensionsupdate[.]com, that was configured to target users in Australia and UK. One of the modules in Rilide malware is a form grabber, responsible for exfiltrating data submitted into forms on specific pages. The configuration stored on the C2 server targeted multiple Australian banks and payment providers.

Figure 14. Rilide C2 grabbers configuration

Banks Payment providers Email Crypto exchange VPN and Cloud providers
17 10 3 4 5

Table 2. Type of websites targeted by Rilide s grabber module as per C2 configuration.

Additionally, injection scripts configured on the server targeted domains of banks in the United Kingdom. However, those scripts were still in development as of time of this writing, but they indicate that threat actors may want to expand their targets to users located in the UK.

Figure 15. URLs for which injection scripts were configured on the Rilide C2 server

Figure 16. Injected Scripts targeting Banking Credentials of NAB AU and Barclays UK

Interestingly we identified a PowerShell loader installing extensions from this campaign with a new approach. In our previous blogpost we described a well-known technique of loading an extension via a –load-extension flag in Chromium based browsers. However, this technique does not install an extension permanently, when a browser is relaunched without this parameter the extension is not available. That's why the threat actors had to modify the shortcut files for the browsers, to ensure that user will open it with necessary parameter. In the new approach threat actors install the extension permanently, the result is as if the user installed the unpacked extension from the browser GUI.

The new techniques leverage modification of a JSON structured file holding part of Chrome’s settings, Secure Preferences.  In particular, this file contains information on the installed extensions, like the extension path on disk and its permissions. To ensure that external applications other than the browser cannot modify this file, Chromium introduced a security mechanism based on HMAC hashing. This mechanism is undocumented, however it was already reversed and explained by researchers from Chalmers University of Technology in their paper. To generate a valid HMAC hash, the attackers require two additional values other than the settings itself, seed stored in the resources.apk file and SID identifier of the current.

Figure 17. HMAC implementation in Chromium based browsers.

The hash values generated for single setting entries, like configuration of an extension, are called macs and stored in the Secure Preferences file to ensure their integrity. There is also a value called super_mac that is generated based on all other mac values to ensure the integrity of the entire file.

Figure 18. Extension settings and corresponding HMAC hash in the Secure Preferences file.

Additionally for the changes to be valid, the attacker must add the registry subkey holding additional HMAC hash of the extension settings in the HKCU:\SOFTWARE\Google\Chrome\PreferenceMACs\<Chrome_Profile>\extensions.settings key. In case of this hash the seed value is not retrieved from the resources.apk file, but rather a hardcoded value of “ChromeRegistryHashStoreValidationSeed”. This was described in a post from 2019 on a Russian forum, where the author explored the installation of an extension via Secure Preferences modification.

Figure19. Part of the Rilide PowerShell loader leveraging new installation technique.

Pivoting on the Campaign IOCs

The loader described in the previous section was downloading a malicious Rilide extension from a Bitbucket repository. Judging by the number of extension downloads in the repository and the fact that the loader was not detected as malicious by any of the engines on the Virustotal platform as of the time of this writing, it seems that the new loading technique turned out to be a success for the threat actors. 

Figure 20. Number of downloads of files stored in the Bitbucket repository.

Rilide C2 Infrastructure Hunt

The C2 Domain extensionsupdate[.]com used in the third campaign was registered using the NiceNIC.NET provider located in Hong Kong, China, and IP records pointed to a C2 server located in Moscow, Russia. Technical WHOIS details for the C2 domain were redacted for privacy, the registrant organization was not. The registrant organization, ‘Mihail Kolesnikov’ was associated with over 1200 other websites, all of them registered between December 2022 and July 2023 using NiceNIC.NET. Several websites were found to be serving malware such as IceID, Bumblebee or Phorpiex.

Figure 21. Rilide Stealer Infrastructure Pivot

Phorpiex Malware and 1337Team Limited Hosting

Two domains, eaougheofhuoaez[.]top and faugzeazdezgzgfm[.]top, were associated with IP addresses registered under the infamous ‘1337Team Limited’ a bulletproof hosting provider registered in Seychelles known for hosting various malicious campaigns. Our investigation revealed that these two domains were serving a 'Twizt' variant of Phorpiex, which features a cryptocurrency clipboard hijacking capability supporting more than 30 wallets for different blockchains.

Figure 22. View at the reconstructed Phorpiex sample code and clipboard hijacking routine

Phishing Campaigns using Twitter, Typo Squatting and SEO Poisoning

During our investigation of the infrastructure and thorough analysis of the domains registered by the threat actors, we uncovered multiple phishing websites that were deceiving users through the use of typo squatting and SEO poisoning techniques. We also came across numerous phishing websites serving legitimate AnyDesk software. This finding sparked intriguing connections when we correlated it with the Rilide referral codes found in configuration files. We uncovered a few campaigns labeled as 'Calls', suggesting that the attackers might be utilizing sociotechnical tactics, including actual calls to the victims. These calls could be used to guide the victims into accessing the phishing websites and provide instructions on how to run AnyDesk. Subsequently, the attackers may proceed to install Rilide extensions or possibly other types of malware. However, we can only speculate about the potential correlation at this point.

Figure 23. Phishing Website Serving Rilide Stealer.

Figure 24. Rilide related phishing website imitating hsbc bank, serving legitimate anydesk software.

We have discovered numerous phishing websites being promoted on Twitter as genuine cryptocurrency airdrops. Most of these websites were found to be utilizing the AngelDrainer crypto stealer script to siphon funds from connected wallets. Interestingly, the freshly established pages lacked any configuration keys, whereas the older ones employed the same key, leading us to believe they were associated with the primary attacker advertising as AngelDrainer on underground forums. Furthermore, during our investigation, we found that several website templates used in these attacks were copied using UrbanVPN.

Figure 25. Twitter posts leading to phishing websites containing angel drainer.

Figure 26. The attacker used UrbanVPN as proxy while copying legitimate websites to create phishing templates.

Figure 27. Angel drainer crypto stealer advertised on one of the underground forums.

Rilide sold on the Underground Forums

The Trustwave SpiderLabs team identified an actor with the nickname ‘friezer’ selling the Rilide extension and control panel on the XSS and Exploit forums for $5000 (price was dropped to the $3000 during promotion period). The first listings for that product appeared on the forums at the end of January 2023. The actor stated in one of the comments that no one uploads the extension to the Chrome Store and all his clients use self-written droppers. Lack of a dropper bundled together with the extension explains the number and variety of droppers observed in the wild.

The threat actor got into trouble in April, having arbitrage cases opened against him (part of an underground court like system) on both XSS and Exploit forums. One of such cases effectively led to his ban on the Exploit forum. Notably in one of such cases opened by a dissatisfied customer, he made a comment in his defense. He stated that the product got burned by the antivirus solutions on April 5th and he is making fixes for it to work again. That explains the new versions of Rilide with obfuscation of increasing complexity.

In our previous blog we mentioned that source code of the Rilide extension was leaked on the underground forum. At the end of April, we observed another actor getting access to the source code of the control panel and leaking it online. It is possible that threat actors other than the original developer picked up the development of this malware family. 

Figure 28. Rilide stealer control panel and grabbers view as advertised on xss forums

Figure 29. Rilide stealer control panel and installed extensions list view as advertised on xss forums.

Hunting for Rilide with Permhash

With an effort to better hunt, cluster, and pivot on malicious APKs and browser extensions, the team at Mandiant created a new framework called Permhash. It creates a hash value based on permissions assigned to the browser extension or an APK. Permhash has been added to the Virustotal platform. In the IOCs section we’ve identified Permhashes for Rilide malware. The malware is under continuous development and the permissions vary between the samples; however, we found the Permhash to correctly cluster different versions of Rilide and help in finding additional samples.

Figure 30. Permhash value of a Rilide sample on the Virustotal platform.

Indicators Of Compromise:

Rilide Stealer Extensions

File Name Hash Type Hashes
crypto-extension.zip MD5 66e05bc7b8e8ccd31415e22272f03bd4
  SHA1 173065e688b008e208d6ffd62ea2b5a15cf66552
  SHA256 35451261a9864614aaeb43cd8bfb8d166a483baaa4477c6e119ebcffffa0ba31
crypto-extension.zip MD5 79f586fe64498205b1aab8ece4b2e944
  SHA1 ea4d7f31e889585d1a2c77e2b2823a4ccbd765d2
  SHA256 3978acf99393c9538dedc22f97eb247bbcfe0791acead7f6c96d1079479286fd
  MD5 bb8315ba98e0cb251453d58cf2048f3b
  SHA1 8316ab2ee030c859d2952a0a0ee3fb8606b88816
  SHA256 abae2f164e073e7aab2822b507de10e731cc1b396809728452e98be6618c149f
  MD5 9f806a3d233ffbbb58cf82c3e769d6a5
  SHA1 10d3d6bf88bead7180e84a2b7acf3abc60e14e81
  SHA256 2aac1089998e5e88fbdf539408be53570a4ed64a989885d1003bf73c723eea1d
  MD5 fd59031e1c35e5fb1ecbaff6c64a31e8
  SHA1 e4aaef90c4284e923679e92e970396f7ef989087
  SHA256 2b638291abc822a2bb5f94b196022cae4b064487a71a8e067f8d8a2fb3c7acc5
  MD5 4aa44852969f4c603bf9e8e3799d6984
  SHA1 552b715702d8b4b0f035a92d5ab5bb1f0712ac32
  SHA256 f2931eb819db38895ccc016a6b04b90bb1456931164f2b7e15f4bc0c95fbd997
  MD5 5a439a865ba82b35ef8eeacc1a778e0c
  SHA1 a1456ea8696c755d1d2c4d1f27661f9388f805b9
  SHA256 e39d0974b403b547b07282237f356061754375d1b70dacf731d8fa2add15d856
  MD5 fc3afbea35d3844550af54a2506a5f64
  SHA1 d85c34f3cd20d24fde93f0e60d677d2aa8c48591
  SHA256 83fff7424342575d8ab6a9bd8eba71490e75a87ea825c8a84bb16945613467e1
  MD5 59e77f77b458eb0c390f90e2daa35504
  SHA1 060ac379851786e61d081b1471ee15347185e56c
  SHA256 0fd8a4468d7d5370d1f67b01badb2e7e1aacb3e6cf1689cab4f678cc7868f520
  MD5 614ce2b5df0dd74d1bc5b0bde55edd53
  SHA1 52a1ee4060e13790501163c78d3475be90f05584
  SHA256 aed0c82e40f51089ef8c08df53404d61a591db8f14f07a9ef38aeeef8f4e15a8
  MD5 a906698ebe07eac71494052bb82cd3f2
  SHA1 937e03c89c33bbd5c7727c3f8e00aecdf22afa7f
  SHA256 0778c7e2ec2dde55d2e88f31168a52d8e78ce5348ccab82c8e6b2c0f3bb0b3eb
  MD5 e879d0f7540ce7b3365c7f79a461ec98
  SHA1 397a40a2f5047db13bf84bd7e6296c12dc317933
  SHA256 d4ae1e54da50c3dbf7c201a42537f42fc307c5ce7700ad32aceb60f69ed7d779
  MD5 8080ad6ea6102d445ea16169a990cb5e
  SHA1 dc7fa285da2034a00ed2c66cb86c37e1a4bbd679
  SHA256 482b3ae10d6b70c1faf55a9b3abd14bdc1b198b18d089a0aea6aa6ac6fd7ace1
  MD5 172f5c41250ef3e84579645e5b1a22bc
  SHA1 ccbf7ed9d3c2b606b753359cb4b10caa2570a571
  SHA256 ae5da62daf678fc0555f739c116f58fd26c5400257367dcd0f777997615a4b23
  MD5 ae249d95c6ac779246b8eea93730801f
  SHA1 92a030999013b6835b39d2cce951fcb258107bc8
  SHA256 cab8e0569f69efe0214dea05461cba63c3abb9c255f17e2ae48e904dfce500fd
  MD5 44cf3fe19f92cfac81d74ec366302104
  SHA1 946ac4d655bc77624b912ad42431c8a692cac6a4
  SHA256 6f68fdf8c77b6deb44427322f82a6476a631ec6e4cdb0b18421bf5a0c895435e
  MD5 8b008a8f776b57060b5ce42b6ea2b8f6
  SHA1 76fc50665aea80dca8844282804339b7351c3267
  SHA256 a7e24ead72e9bd2d74be36c201e348d5c5aa29c1c0c4e972677ce12602a74158
  MD5 ddddeb26f795fd7658720d5ae80a310d
  SHA1 dd6e2e93d80d9b5df93e17e714aee41534f1158a
  SHA256 dea7f22216fcd2a3355b231d57dec37164c85faf3e9279beae6cdb153051a48a
  MD5 d2b07b0e4142bbcb1457d51e25da416d
  SHA1 2700d7a6c6f5abdea5972c9d5a67603216870af4
  SHA256 a4ebe88f43d782b30fd83e1fb79b26674827cc03db4aeb77540243c303b51a6a
  MD5 47c7a9d2010c0f1d1c20fec47339451b
  SHA1 f5a5d008a70e1c632d7cb72b2f255f3e500b43e4
  SHA256 c23846b1ec00890c3fda2b600b29b2fb717de6fa54b8c9bebe825aa4e0a7f2cc
  MD5 7a60adb662556863752bd2ab1c25c727
  SHA1 b27a56ee3262c4d87bae60c514ea7056a4ec7c6f
  SHA256 e669e3509aa8d6a425b61e77993b23f832071ba2f7def373af57417f661eb431
  MD5 adbc8e285c7657615b2ebee344390952
  SHA1 f637104610e14e2260a792fd17775a83d2551a38
  SHA256 7f0a71e2443cef0beaeea10a78fbbdb3a612be6c4be206acf7c13849d593fad7
  MD5 fa3509f5adb6b3c8857194083af87edd
  SHA1 cc7949e9587b7f64049ab5b9b3603eb831f47808
  SHA256 ad32f29f994a9d4eeceb39afeaa2a1dbda4f17931668d64026c225c738518cfd
  MD5 f8653cd2a1c7cea7509abd6cd52078b3
  SHA1 3197073f18ce0432691d61f09302f949d3283e0b
  SHA256 ac4ae2bb49343ed24c2ae0d531cde04c3186dc4263a2352f2c2ac78812bb5c05
  MD5 403dd2a2a6163c07710fabc08f71bec8
  SHA1 b0c587068505fcbdb55d263dff03f3abbeeb0842
  SHA256 008b7d803d8925c578168a2bd757dd4a0b26b32b2f810ce91e3f062e1ed5cd0c
  MD5 678a0f6c5a0662b8f42fca2f6788e3c6
  SHA1 dd4e7e8230e14685d73d142efb337e75cb2d3581
  SHA256 b6043858d8b28b397ce364417a59167bb1afb32b5c8fcf0be428362af7952e27
  MD5 20d8abba528c323668911a7da1993336
  SHA1 dd7f3feb98e4d84817a84a9fdfddaed3b2719303
  SHA256 cca6dda21c62f2665eccdec2edff5e6dfa6260a217c02709b21b3e14670ca3b7
  MD5 df7d7dc978275f8c85ab8408abc8df95
  SHA1 cde2d4b70d374fca96951a13f056f778258aeb45
  SHA256 718b9adb3cd2f68c41234870242e312cac6beb00444ed4e21dca5f21b6fbecb9
  MD5 cfe9ec19dd3991c45c76493d9598141b
  SHA1 a1b9fd0577f6cc0ff87010a651ff123b8285289c
  SHA256 48346d8f46efca68f354f0833c3cfc9e8931d5b655ec434725fcdffb03069460
  MD5 0fb39568d9ba07e39f64d64510832a99
  SHA1 5174127b62bd3a1e983dd8a33e3efa5ec54471c8
  SHA256 dfc0c60526e78d58f055ddace6cb91227958a0c5b413c88d00be175f084bd5da
  MD5 59998a5c7c0f31adc47f3d05333ff8cc
  SHA1 f2348f98a71afcc241c6e3d5777b300e5602a4e5
  SHA256 7dde5fe5377eaa43af2896f0aab7a6875ac88a34d0391c39d0979c3cf2861723
  MD5 d504505d18408343a5f1225a0d0f3c1b
  SHA1 16f46139147f5f6dcd521840951860c299982587
  SHA256 533576b2f435591fe51d0e09d479154fac13a6440c619085dc0a11ada0f69e12
  MD5 367300209532298c12b8678a1699b6ff
  SHA1 3c6fcd01f513df3480930924bd82d2abdb19266a
  SHA256 ba1d0a41bf1bfacf41e667857cbd24b9834631613de44124b95357cd5c7637c3
  MD5 bda2f43f6a08de8e0d41aa704a796eb1
  SHA1 18ccba913df5b8867c6ef066f121fb8cd03a7518
  SHA256 f6e81b0d239268ce0c9bb6ba7dbe09fb67ffa273a85fdfe656b14b5ea9a94568
  MD5 c8805c7f4224c02b173f6beab132638c
  SHA1 b3d59d7caab786cb92639a8c8bc17f73da26c788
  SHA256 687e9fc52445b8045fccc308c30713395bdfba08dac83fc85355a5c94b2bbbde
  MD5 97a42807acd13205c1a2937850416439
  SHA1 a468269647f3b9909f4df27b74711d56adaf87a4
  SHA256 1c1a8d502871dbf22b404b6825b5219344a3d89ebb5da88380ba1ca158e2d92b
  MD5 f1f97bcec87f298f3f533fbcb0de034e
  SHA1 a25fccb0455f8e9d3751f5127dd6867aecb58b45
  SHA256 5f6e10bdfe78f855105843c67ff6ec69801caba328a8b1681425b06e359f888c

 

Rilide C2 Domains

frz-panel[.]su
lsadksajpenal[.]su
edd2ed2[.]online
proyectopatentadomxapostol[.]com
assets[.]bnbcoinstatic[.]com
tes123123t[.]com
web-lox[.]com
pupkalazalupka[.]com
extension-login[.]com
io-web[.]cc
ext-panel[.]website
extensionsupdate[.]com
blackfox[.]lol
silent-scale[.]com
getvoyagebox[.]org

 

Rilide Permhashes

8caaafe787c9e3d59486ec129b4259764641999b0f1de6b5b46d3773e96442c8
6e9c56301605aeeb0efcbbfbf10008dba7a8b99963f02256d1b28fbc30df7907
3aa913da9591d998a229acec529eb58b1fea14b403b92f56dde47a8425739473

 

Rilide Loaders

File Name Hash Type Hashes
main8.ps1 MD5 23fc39223b0225998a70a3cb2e05ad4b
SHA1 69fb5b178f369beaac85f02791fd8f85facdd20b
SHA256 aa76e48528f473b171b98bfc4d4e4d839a98c255e78382dc6f020e36ed00ea5b
main8v2.ps1 MD5 7ca9216d43d51507d326a72c4d27056e
SHA1 e3476f4fb588b23bdd625bdc75a98a16d1acb4bd
SHA256 abe1c395c9db7df35611caf30fff0a18f23726505b2b51e4dce6547896ee6f76
main9.ps1 MD5 ced4052c3d3d32e21df075d68b5a4494
SHA1 cba87daff1cf961fe941489cfcc80f074f8d49ed
SHA256 d755c580cc88b6a5028e843aeda3e3a50c8f025ef1dcf66027c0c1b671024d36
main8v3.ps1 MD5 1de4b5ff5035d3df6ab27d12c83b18f5
SHA1 aa7929ba89295c732398c63a574a49f035b9ca52
SHA256 dfff032e311776b3d62f70856a6d29ca8267beee614f756301b7f891c6325485
dropper.exe MD5 bc9472ab59a9625003190b2dfcd1c502
SHA1 ddb5e3e03655fa8dd8690aeb81db00da84bd2c8b
SHA256 7465e22c5544ff885472e36dd60beec5039c68c4728d804fea240bc36e8f6794
chrome.exe MD5 5e8d7b2ea9c184a5a88edd0e507571ed
SHA1 027268c51892ca07c36b66ae31dbe33c2afeb789
SHA256 45d03f5d809664844d569d35431a147885d201ca151bda9bf66f282daec025a6
out_5.bin MD5 63e9249d7950ca2e03c40a64a76a3951
SHA1 29dd8609c74cc54d60bab53c6e83a3cb641f8b4a
SHA256 14405eee6b03c4de6fba6b68768a943120c092280e0763ee2672b7ffdf9358bc
new_out.bin MD5 1c683f7e8ede935de16fe1af8d920b4e
SHA1 ace802a22a69b2d6fe305d407212c0919671f81a
SHA256 1ac5e7036f862b8d2a951b1be262b498f0c9213d4d2f500e9c5f06ac8e8179b2
yoo.ps1 MD5 a404c8f69888159b85aa2b069f0d0f90
SHA1 70cae8f5f2d6573510f5f4400a8baba89e5bcd2f
SHA256 461773a67e1a6228d0a8d02a45da72fc94ce0df97cd99aef33dcbf859d306a11
Injector.exe MD5 7ba207ff437a0df9b5a05a01c0d548b9
SHA1 2c98abcaea10d3abd307c68cbf95f3e4af40ec04
SHA256 e8a791965f8534b33736a0786ebeb0975002f3a03c31aefe2e4a64a1d4c70a34
MD5 b4867df506f38736c0f6ce56decad080
SHA1 d033569c97f382b21ce83439dae0cab5bd28e135
SHA256 54920cdfbc9403da38058b90bfb19a1af5caff2ca4584209d13e0f90b64c3b2c
virus_exe.exe MD5 f5dc1259e5300b8d4711ca7bf51c6e9f
SHA1 92d4921b1fc15ae389a59b5df90614d7926f95e9
SHA256 6aa388c50c8c184901db02eae71b1ec3d9e0ab9e636d22419f64a83c8b2c94b0
ChatGPT.exe MD5 89d7bf4d70efaeb4e63eddd179df9829
SHA1 c84a3774eea3c7c3069964fff500eb498a3e3fa0
SHA256 e89971bfb8375d748cc233157537856c5598fcd513ed42e862261a99843f40d0
Riot Revelry 1.0.2.exe MD5 4a0e5fee91b361a09cd9d70e5f6ffb3d
SHA1 3976d181a1bdeaca94c072d672ee90750865ee96
SHA256 6a83ee64b323082bf8827deb6297d4d3895f346ff83e9d9d4d125e976df5e503
Night Predators 1.0.2.exe MD5 0f8c7037ba4cf9736a5ac22cde94b7ed
SHA1 018caa6adbd983fd2e2ba46670196a41669b4cef
SHA256 1f62a8dc5e71b2826d0fe70588c4c4cbebb9518d3f1125807e6e6927b359458a

 

Rilide Loaders ITW URLs

https://download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/Riot Revelry 1.0.2.exe Fake P2E games installers
https://download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/Night Predators 1.0.2.exe

 

Fake P2E Games Domains

nightpredators[.]com
riotrevelry[.]com