The malicious activities include monitoring browsing history, taking screenshots and stealing cryptocurrency through scripts injected into websites.
Rilide impersonated benign Google Drive extensions to remain undetected while abusing built-in Chrome features.
The cybersecurity company also found another operation that loaded the extension using a Rust loader by leveraging Google Ads and the Aurora Stealer.
While the origin of the malware is still unknown, Trustwave reports that it shares similarities with extensions that are sold to cybercriminals. In addition, due to a dispute between hackers over an unsolved payment, some of its code was recently disclosed on a dark web forum.
Hijacking Chromium-based Browsers
Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system.
When the malware is executed, a script attaches a listener to monitor when the victim switches tabs, receives web content, or finishes loading a page. It also monitors if the current site matches a list of targets available from the command control (C2) server. 
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: