Fraud toolkit KL-Remote bypasses 2-Factor Authentication and Device Identification


A new form of toolkit has been released to the black market recently that allows a relatively unsophisticated user to perform enhanced phishing attacks to harvest banking credentials. Alarmingly, the toolkit allows circumvention of traditional authentication mechanisms such as device and two factor authentication. Named KL-remote, the toolkit has recently been analysed by the IBM Trusteer – who refer to it as a “virtual mugging” capability.

While the toolkit features a user friendly GUI (and a “start phishing” button) – it is not as automated as other banking trojans. In the case of the KL-remote, user intervention is required. That being said, the toolkit is still extremely user friendly with a pre-determined list of banking URL’s part of the offering.

The trojan is initially packaged up as part of a larger malware payload and, once executed, the user is able to monitor key strokes when a certain URL is visited. For example, an infected user accessing Natwest will be alerted to the attacker who can then decide whether to launch an attack or not.


The attacker is presented with a screenshot of the users screen, which records key strokes and comes pre-packaged with popular banking URL’s.


As the attack progresses, the malware snapshots the users browser screen and overlays this on the genuine site – preventing the user from interacting with the actual website. The attacker can then click the “start phishing” button that will prompt the user with a number of requests for personal information. The malware firstly disguises a “security update” that requires the users password and one-time password. Once entered, the screen throws a waiting message up as the malware interacts with the genuine bank session to steal all of the users funds or whatever other functions the attacker wish to take place.

The major issue with this is that, for all intensive purposes, the bank recognizes this as a legitimate session as the two factor authentication and device authentication controls are circumvented.

The toolkit is only available in Portugese and only used in Brazil, however, it won’t be long before we see this toolkit distributed across the world. In order to combat this, banks will need to wise up to this security threat and alert unusual browser or device activity e.g. log-in’s from Brazil based addresses. Users may wish to purposely use the wrong credentials on the first log-in as the malware won’t detect this and will proceed any way. This a sure fire way to know that you have been compromised, you should then immediately contact your bank and change details.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *