2FA Evading Malwares on the rise


Khush Bhatt

August 12, 2020

2FA Evading Malwares on the rise

Writing after a long gap. We were engaged with Black Hat, DEFCON 28 & Blockchain Village 2020 remotely in #SAFEMODE. This was a great experience.

In my previous blog I had mentioned that in-mobile phishing apps stealing credentials are getting mainstream. Two weeks ago the media around the world was raked with the news of a new family of malware - Black Rock, stealing credentials from a wide variety of applications, not limited to the Banking sector only.


2FA Evading Malware Pedigree

We list families of Malware which are not only stealing passwords but also evading the conventional 2FA (Two Factor Authentication).

Malware FrameworkTarget ApplicationTarget AttributeImpactMore Reference
Black RockApp Related to Finance/ Banking Appssend, spam and steal SMS messages, inserts keyloggersCan steal otps and passwordsThreat Fabric
EventBotBanking, pPayment, money transfer, Cryptocurrency WalletsSMS, 2FA code/OTPs, *TAN codesCompromise of Banking application. FinanceCybereason
TrickMo/TrickBotTransactional AppsTransaction Authorization CodesCan be responsible for financial loss or can lead to unwanted transactionsIBM X-Force
Loki BotApp Related to Finance/ Banking Appssend, spam and steal SMS messages, inserts keyloggersCan steal otps and passwordsThreatfabric
RyukInitially to Email apps and then to Whole Machine/PCSystem filesInserts payloads and affects your system and asks for ransomDuo Security
CerberusGoogle Authenticator App2FA CodesCompromise of any platform associated with Google authenticator 

There are various malwares which are detected every month with different functions, These 2FA Evading Malwares are challenging organizations no matter if you add an extra factor on top of your passwords you are still vulnerable.

Cerberus Malware is in fact targeting Google Authenticator and compromising the class of apps relying on it.

SMS based OTPS are being phased out since 2017, due to an increase in SIM swapping attacks and industry started moving on TAN based authentication. PushTAN being the most popular. In this writeup we have seen that mobile app based trojans are stealing the temporary tokens rather than swapping SIM.


2FA fails to protect spare/phishing attacks

When it comes to protection against phishing or spear-phishing attacks targeting credentials, 2FA becomes irrelevant. Our founder Ajit Hatti in an interview with Mike Scialom discussed the spare phishing attacks racking UK politics.

PureID authentication system design is resistant to such malware as authentication happens using PKI and no credentials are involved.

Here is a demo video on how PureID can be useful for login without passwords more securely making sure no such malwares can do attacks like phishing, credential stealing or bypassing 2FA.


Time and again it has been proven that enterprises opting for 2FA for securing passwords end up increasing cost for enterprises, complexity for administrators, inconvenience for users and authentication remains insecure.

Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box