Microsoft Defender Is Not Enough Anymore—This Malware Gets Around It

Microsoft Defender, the antivirus app that comes enabled in Windows Vista and later, reportedly failed to catch a type of malware that hijacked a victim’s Google account in the Chrome browser and stole over $24,000 in cryptocurrency.

“He got access to my Google passwords because my Bitwarden was unlocked and then deducted the wallet extension’s passwords. That’s what lead me to ruin,” the victim explained in a post, adding that the attacker was a stranger who had messaged him on Telegram, an app scammers often use, and convinced him to download a malicious application.

The victim said they had Malwarebytes on their Windows laptop but presumably had the free version without real-time protection enabled, as it only detected the game download as a Trojan after the victim initiated a scan. The software then quarantined it, but by that point, the damage had already been done.

SafetyDetectives researchers tested the victim’s report and found it to be true, according to their write-up published this week. They verified that the sci-fi blockchain game known as Orbit Unit that the victim was tricked into downloading is actually a scam because downloading the game activates Windows malware. Microsoft Defender doesn’t block the game’s installation, and once the game is installed, Defender doesn’t catch the malware, either. They found Defender was “utterly silent” throughout the whole test, failing to warn the user.

This malware then uses PowerShell to run various scripts. It installs a malicious Chrome extension dubbed “Google Keep Chrome Extension,” duping the real Google Keep note-taking tool. But this one steals login data and user cookies, monitors anything copied or pasted within Google Chrome, and sees all browser history. It can even open new browser tabs.

This malicious extension then circumvents two-factor authentication and collects enough data and permissions to control the computer remotely, according to the researchers’ test on a Windows virtual machine with only Microsoft Defender installed.

In another test with Malwarebytes with real-time protection enabled, however, this antivirus program blocked the malware before it was installed. Bitdefender didn’t block the installation but did stop the malware before it accessed sensitive information on the PC. SafetyDetectives says that both of these antivirus programs addressed the issue equally as well despite Bitdefender catching the issue later in the process, because neither paid program resulted in the theft of data or let the malware execute its attack.

Notably, this malware, like some others deployed by hackers, detects a user’s location to decide whether to proceed with the attack. In this case, if a Windows user downloaded the malware on a device based in Russia, Ukraine, or Belarus, the malware would not proceed. This exception may be because the attacker may be based in one of these countries, but it’s difficult to confirm in this case.

“If you’ve got auto-login enabled on any of your accounts, this is a goldmine for attackers,” SafetyDetectives explains in their video. “They don’t even need your password—they can just use the login tokens stored in your browser to hijack your sessions and access your accounts directly.”

If you own any cryptocurrency, it’s a good idea to never store your crypto wallet passwords, seed phrases, or recovery phrases digitally—use pen and paper and keep them somewhere safe (like in a safe). Also, installing a vetted antivirus program with real-time protection will stop malware before it can take action.

Don’t store more than you’re willing to lose on a browser extension-based crypto wallet. And if you have more than a thousand dollars worth of crypto, consider moving it to a hardware wallet, which requires buttons to be pressed on a physical device to unlock and use.