In a recent incident that has raised concerns about cybersecurity, a victim reported losing over ,000 in cryptocurrency due to a malware attack that bypassed Microsoft Defender, the built-in antivirus solution for Windows Vista and later versions. The victim recounted how a stranger on Telegram, a platform often exploited by scammers, persuaded him to download a malicious application disguised as a sci-fi blockchain game called Orbit Unit.
Malware’s Intrusive Mechanism
The victim explained that the attacker gained access to his Google passwords through an unlocked Bitwarden, subsequently compromising the passwords for his cryptocurrency wallet extension. Despite having Malwarebytes installed on his Windows laptop, it appeared that the free version lacked real-time protection, only identifying the malicious game as a Trojan after the victim had already initiated a scan. By that time, the damage was irreversible, leaving the victim to lament the loss.
Researchers from SafetyDetectives confirmed the victim’s account, revealing that Microsoft Defender failed to block the installation of the Orbit Unit game or detect the malware once it was operational. Their tests indicated that Defender remained “utterly silent” throughout the process, allowing the malware to execute its harmful functions unhindered.
The malware employs PowerShell to execute various scripts and installs a deceptive Chrome extension masquerading as the legitimate Google Keep note-taking tool. This malicious extension is designed to steal login credentials and user cookies, monitor clipboard activity, and even manipulate browser history. Alarmingly, it can also bypass two-factor authentication and gain remote control over the infected computer.
Comparative Analysis of Antivirus Solutions
In contrast, when tested with Malwarebytes featuring real-time protection, the software successfully blocked the malware before it could be installed. Bitdefender, while not preventing the installation, managed to halt the malware from accessing sensitive information on the device. SafetyDetectives noted that both antivirus programs ultimately protected the user from data theft, although they did so at different stages of the attack.
Interestingly, the malware demonstrates a geographical awareness, refraining from executing its attack if the user is located in Russia, Ukraine, or Belarus. This behavior suggests a potential link to the attacker’s location, although definitive conclusions remain elusive.
Best Practices for Cryptocurrency Security
SafetyDetectives emphasized the vulnerabilities associated with auto-login features, warning that attackers can exploit stored login tokens to hijack user sessions without needing passwords. To safeguard cryptocurrency assets, they recommend avoiding the digital storage of wallet passwords, seed phrases, or recovery phrases. Instead, these should be recorded on paper and secured in a safe location.
Additionally, employing a reputable antivirus program with real-time protection is crucial for preventing malware infections. Users are advised to limit the amount of cryptocurrency held in browser extension-based wallets and consider transferring significant amounts to hardware wallets, which require physical interaction to access funds.
