ESET researchers discover a trojanized Tor Browser that cybercriminals use to steal bitcoins from darknet market buyers
ESET researchers have discovered a campaign, running unnoticed for many years, that distributed a trojanized version of the official Tor Browser package, using it to spy on its users and steal bitcoins from them.
“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills in to forms and display fake messages, among other activities. However, we have seen only one particular functionality – changing the cryptocurrency wallets,” explains Anton Cherepanov, ESET Senior Malware Researcher, who conducted the research.
The campaign has been targeted at Russian-speaking users of the anonymous Tor network. To distribute the malware-laden browser, the criminals promoted it – on various forums, and on pastebin.com – as the official Russian language version of the Tor Browser. Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites.
“At the first website, the user received a warning that their Tor Browser was outdated – regardless of the reality. Those who took this bait were redirected to a second website with an installer,” continues Cherepanov.
Following installation, the trojanized Tor Browser is a fully functional application. “The criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and extensions. As a result, non-technicallysavvy people probably won’t notice any difference between the original version and the trojanized one,” comments Cherepanov.
Among these changes, all kinds of updates in the settings are disabled, and the updater tool is renamed to prevent the user from updating, which would mean losing the capabilities needed by the criminals.
Digital signature checks for add-ons are also disabled, allowing the attackers to modify any add-on and have it seamlessly loaded by the browser.
Once a victim visits their profile page in order to add funds to their account, directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original bitcoin address with the address controlled by criminals.
“During our investigation, we identified three bitcoin wallets that have been used in this campaign since 2017. Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanized Tor Browser,” comments Cherepanov.
At the time ESET researchers concluded their research, the total amount of received funds for all three wallets was 4.8 bitcoin, which corresponds to approximately 40,000 US dollars. “It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” concludes ESET’s Anton Cherepanov.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.