Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how it compromised devices and evaded security.
Cybersecurity researchers at SafetyDetectives revealed that Microsoft Defender, the default Windows antivirus, was deceived by malware, enabling the theft of cryptocurrency from an unsuspecting user. The issue was uncovered during the analysis of a seemingly harmless NFT game app, which was actually designed to steal cryptocurrency.
The application also compromised the device by bypassing Google’s two-factor authentication and stole over $24,000 in cryptocurrency. According to researchers, the malware, once installed, quietly operates in the background, gathering sensitive information and may even hijack the user’s Google account, which is protected by two-factor authentication (2FA). It achieves this by installing a malicious Chrome extension disguised as Google Keep, bypassing the 2FA security measures.
During the investigation, SafetyDetectives’ team tested Microsoft Defender against the malware-laced app, using Wireshark to monitor network traffic and detect the malware’s location.
Surprisingly, Microsoft Defender failed to stop the virus during its installation and execution, allowing the malware to gain access to system operations, download suspicious files, collect sensitive information, and even determine the user’s location.
The malware was programmed to shut down if the user was in Russia, Ukraine, or Belarus, likely due to its origin. The fake Chrome extension enabled the malware to access every website visited, steal login data, and monitor anything copied from the browser. The virus collected everything necessary to remotely control the system, and Microsoft Defender didn’t send an alert.
Bitdefender and Malwarebytes to the Rescue
To assess the effectiveness of other antivirus solutions, the team also tested Malwarebytes and Bitdefender. While neither antivirus was able to prevent the initial installation, they did intervene at later stages of the attack. Bitdefender blocked the malware’s attempt to access critical information, while Malwarebytes prevented the installation altogether.
“While Malwarebytes stopped the breach faster than Bitdefender, neither is inherently better in dealing with this specific malware, as both were able to prevent critical compromise. Bitdefender may even have the benefit of having fewer false positives,” they explained in the blog post.
It could be that in recent years, Microsoft Exchange Server has been targeted by a series of zero-day vulnerabilities, some of which could have impacted Microsoft Defender’s ability to protect systems. Or supply chain attacks, like the SolarWinds hack, can compromise software updates and tools, potentially affecting the integrity of security solutions like Microsoft Defender.
Nevertheless, the investigation emphasizes the importance of investing in stronger antivirus software and exercising caution when downloading and installing applications, especially from unverified sources. Staying informed about cyber threats and taking proactive measures can significantly reduce the risk of malicious attacks.
