wo pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence.
- The user executes an LNK shortcut file that, unbeknownst to them, has been tampered with.
- The modified LNK shortcut file executes a legitimate browser, hiding the malicious extension.
If the technical sleight of hand is successful, the adversary will achieve persistence by means of malicious Chromium-based browser extensions.
While hunting this methodology Mandiant identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. Careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported. This research will dissect the relevant adversary methodologies, discuss the identified malware families abusing this methodology, and include numerous detection opportunities to expand the defender’s hunting and detection repertoire. ...read more!
