Trojanized Tor Browser targets shoppers of Darknet black marketplaces

Pierluigi Paganini October 18, 2019

A tainted version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and gather information on their browsing activity.

A Trojanized version of the Tor Browser is targeting shoppers of black marketplaces in the dark web, threat actors aim to steal their cryptocurrency and gather information on their browsing activity.

At the time of writing, attackers have already stolen about $40,000 worth of Bitcoin through more than 860 transactions registered to three of the attackers’ wallets.

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their pastebin.com accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.” reads a post published by ESET.

The weaponized version of the Tor Browser is promoted on Pastebin as the Russian version of the popular software. The Pastebin posts advertise the version saying that it also includes an anti-captcha feature that allows users to speed-up the browsing activity.

The trojanized Tor browser variant is hosted on the following two domains created in 2014 that are designed to appear as the official Russian version of the software:

  • tor-browser[.]org
  • torproect[.]org (the URL is missing “j”)

Threat actors also optimized the posts promoting the malicious software to appear as top results for queries for drugs, censorship bypass, and Russian politicians.

Between 2017 and early 2018, crooks promoted the webpages of the trojanized Tor Browser using spam messages on multiple Russian forums.

The home page of both sites displays a warning to the visitors informing them that they have an outdated Tor Browser, even if the visitors are using the most up-to-date Tor Browser version.

Trojanized Tor browser

“Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update” reads the English translations.

When the users click on the “Update Tor Browser” button, they are redirected to a second website that delivers a Windows installer.

“This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.” continues the analysis.

“No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.”

The Trojanized Tor Browser has disabled the update feature to prevent victims from updating to a non-tainted version, attackers also changed the default User-Agent to the unique hardcoded value that is used by threat actors as a fingerprint.

“The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons.” reads the post. “Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.”

Crooks also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed on load in the context of every webpage.

The JavaScript payload uses a standard webinject mechanism that allows stealing content in forms, hiding original content, showing fake messages, or adding its own content.

The only JavaScript payload observed by ESET was used to target visitors of three of the largest Russian-speaking darknet markets. This script attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.

Using this trick, attackers are able to hijack payments by changing the wallet address of the shoppers with the ones belonging to the attackers.

“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.” concludes ESET that also shared IoCs. “This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trojanized Tor Browser, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment