2FA Evading Malwares on the rise

Khush Bhatt August 12, 2020 2FA

Writing after a long gap. We were engaged with Black Hat, DEFCON 28 & Blockchain Village 2020 remotely in #SAFEMODE. This was a great experience.

In my previous blog I had mentioned that in-mobile phishing apps stealing credentials are getting mainstream. Two weeks ago the media around the world was raked with the news of a new family of malware - Black Rock, stealing credentials from a wide variety of applications, not limited to the Banking sector only.

Malware

2FA Evading Malware Pedigree

We list families of Malware which are not only stealing passwords but also evading the conventional 2FA (Two Factor Authentication).

Malware FrameworkTarget ApplicationTarget AttributeImpactMore Reference
Black RockApp Related to Finance/ Banking Appssend, spam and steal SMS messages, inserts keyloggersCan steal otps and passwordsThreat Fabric
EventBotBanking, pPayment, money transfer, Cryptocurrency WalletsSMS, 2FA code/OTPs, *TAN codesCompromise of Banking application. FinanceCybereason
TrickMo/TrickBotTransactional AppsTransaction Authorization CodesCan be responsible for financial loss or can lead to unwanted transactionsIBM X-Force
Loki BotApp Related to Finance/ Banking Appssend, spam and steal SMS messages, inserts keyloggersCan steal otps and passwordsThreatfabric
RyukInitially to Email apps and then to Whole Machine/PCSystem filesInserts payloads and affects your system and asks for ransomDuo Security
CerberusGoogle Authenticator App2FA CodesCompromise of any platform associated with Google authenticator 
TechXplore

There are various malwares which are detected every month with different functions, These 2FA Evading Malwares are challenging organizations no matter if you add an extra factor on top of your passwords you are still vulnerable.

Cerberus Malware is in fact targeting Google Authenticator and compromising the class of apps relying on it.

SMS based OTPS are being phased out since 2017, due to an increase in SIM swapping attacks and industry started moving on TAN based authentication. PushTAN being the most popular. In this writeup we have seen that mobile app based trojans are stealing the temporary tokens rather than swapping SIM.

2FA

2FA fails to protect spare/phishing attacks

When it comes to protection against phishing or spear-phishing attacks targeting credentials, 2FA becomes irrelevant. Our founder Ajit Hatti in an interview with Mike Scialom discussed the spare phishing attacks racking UK politics.

PureID authentication system design is resistant to such malware as authentication happens using PKI and no credentials are involved.

Here is a demo video on how PureID can be useful for login without passwords more securely making sure no such malwares can do attacks like phishing, credential stealing or bypassing 2FA.

Conclusion

Time and again it has been proven that enterprises opting for 2FA for securing passwords end up increasing cost for enterprises, complexity for administrators, inconvenience for users and authentication remains insecure.

Share the post    
Previous Post
In the recent news by TechSpot.com we have learnt that Google was ‘forced’ again, this time by Evina Research group, to remove 25 credential stealing apps from its Android play store with 2.34 Million combined installations. Out of the 25 listed applications, PureID Security Team analysed few, to learn modus-operandi of these apps. Abstract of […]
Read More...
In the advent of widespread electronic communication we relied on a password for verifying the identity of a person. As it turns out, passwords are not secure enough to trust most information with. Two Factor Authentication to the rescue! right? Well, it’s not so easy. As systems have become secure, the attackers have shifted their […]
Read More...