SafetyDetectives’ Research Team has uncovered weaknesses in the Microsoft Defender antivirus during an examination of a malware-laced NFT game.

In our recently published video titled “Microsoft Defender vs Malware: Is It Enough in 2024?” SafetyDetectives’ Research Team analyzed an application that has allegedly stolen over $24,000 in cryptocurrency from one user.

The theft reportedly happened after a virus from a seemingly innocent NFT game compromised the user’s systems and broke through their Google account, which was protected with two-factor authentication (2FA).

The malware-laced app was purportedly on a typical NFT gaming website that offers monetary rewards for playing. However, the app’s whitepaper — which should contain the game’s technical documentation — did not provide useful information.

Right after the user downloaded the game, the malware quietly activated in the background, gathering sensitive information and hijacking their Google account. It also installed a malicious Chrome extension disguised as Google Keep that undermined browser security, allowing the virus to bypass 2FA.

To confirm the veracity of the claim and examine how the malware managed to break through the user’s system, the SafetyDetectives Research Team set up a controlled virtual machine to run the infected NFT game. We also tested the performance of Microsoft Defender (the default antivirus in Windows devices) versus other popular antiviruses: Malwarebytes and Bitdefender.

Wireshark was used during the investigation to monitor all network traffic and see where the malware was sending stolen data. We also utilized Process Monitor to observe all system activities and Process Hacker to track the processes that were starting and stopping.

During the first run of the infected application, Microsoft Defender ran in the background but failed to stop the virus throughout its installation and execution. The malware successfully gained access to system operations, downloaded suspicious files into the computer, and collected sensitive information without getting flagged by the antivirus.

The malware’s execution was observed by monitoring PowerShell’s background activity.

The malware also determined the system’s location. Notably, the virus was programmed to shut down if the user is in Russia, Ukraine, and Belarus — presumably because the threat actor originated from those regions.

Moreover, we found that the fake Chrome extension the malware installed was able to access every website visited, steal saved login data, and monitor anything copied from and pasted within the browser.

At the end of the first run, the virus had collected everything from browser extensions and system information to security settings and admin privileges. The malware was able to obtain everything necessary to remotely control the system, and Microsoft Defender never sent an alert.

For the second test, we ran Bitdefender. The antivirus was not able to block the installation immediately, but it did intervene right as the malware was about to access critical information, such as browsing history, cookies, and login details.

Malwarebytes was used for the last test round, and it successfully prevented the attack by flagging the installation of the malicious app.

Bitdefender and Malwarebytes flagged the malware-laced application mid-execution and pre-installation, respectively.

While Malwarebytes stopped the breach faster than Bitdefender, neither is inherently better in dealing with this specific malware, as both were able to prevent critical compromise. Bitdefender may even have the benefit of having fewer false positives.

The outcome of SafetyDetectives’ Research Team test highlights the importance of investing in stronger antivirus to prevent malicious attacks and staying vigilant when downloading unverified applications online.

Visit SafetyDetectives’ Channel for more exclusive cybersecurity news and tips.