The Rilide lab presents a sophisticated browser-based malware investigation scenario centered around a deceptive Chrome extension used as a delivery mechanism for credential theft and financial manipulation. In this case, a financial analyst at a cryptocurrency asset management firm unknowingly installed a malicious browser extension from a seemingly legitimate source that claimed to offer productivity enhancements. Shortly after installation, the victim’s machine began to exhibit classic indicators of compromise: clipboard hijacking, unauthorized redirects, and covert browser activity. Internal monitoring further revealed communication with unfamiliar external infrastructure, triggering an in-depth forensic response.
Participants in this lab are tasked with dissecting a variety of artifacts left behind by the malicious extension, including obfuscated JavaScript files, JSON configurations, and Chrome extension manifests. Through this analysis, the investigation uncovers how the malware leverages Chrome APIs for persistence, uses scheduled tasks to delay execution, and employs multiple encoding schemes like Base64 and Base58 to conceal its operations. The lab also explores the malware's targeting of popular webmail services such as Gmail, Yahoo Mail, and Outlook, with the goal of intercepting sensitive data, including credentials and 2FA codes.
By reverse-engineering the extension's logic, analysts traced clipboard modifications designed to redirect cryptocurrency transactions to an attacker-controlled Bitcoin wallet. OSINT investigations reveal that this wallet is linked to a malicious domain and has been flagged in multiple threat intelligence sources. This lab provides a comprehensive, real-world exploration into browse