Malware

OnionPoison: malicious Tor Browser installer served through a popular Chinese YouTube channel

OnionPoison: researchers reported that an infected Tor Browser installer has been distributed through a popular YouTube channel.

Kaspersky researchers discovered that a trojanized version of a Windows installer for the Tor Browser has been distributed through a popular Chinese-language YouTube channel.

The campaign, named OnionPoison, targeted users located in China, where the Tor Browser website is blocked. Users in China often attempt to download the Tor browser from third-party websites.

In the OnionPoison campaign, threat actors shared a link to a malicious Tor installer posting it on a popular Chinese-language YouTube channel providing info on the anonymity on the internet.

The channel has more than 180,000 subscribers and according to Kaspersky the video with the malicious link had more than 64,000 views at the time of the discovery. The video was posted on January 2022, and according to Kaspersky’s telemetry, the first victims were compromised in March 2022.

The malicious version of the installer installs a malicious Tor Browser that is configured to expose user data, including the browsing history and data entered into website forms. The experts also discovered that the libraries bundled with the malicious Tor Browser is infected with spyware.

“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.” reads Kaspersky’s analysis. “We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.”

The description of the video includes two links, one to the official Tor Browser website, while the other points to the malicious Tor Browser installer hosted on a Chinese cloud sharing service.

The malicious installer has a file size of 74.1 MB. Upon executing the installer a malicious Tor Browser is installed, it has the same UI of the original Tor Browser. The malicious installer is not digitally signed and the malicious installer also drops some files that are different from the ones bundled with the original installer

“The file freebl3.dll is present in the original Tor Browser installer; however, its contents are entirely different from the DLL in the malicious installer” continues the report.

The experts noticed that the second-stage payload containing the spyware is only served to users from China.

The spyware is able to gather system information and support data exfiltration capabilities. It is able to retrieve the list of installed software and running processes, Google Chrome and Edge histories, victims’ WeChat and QQ account IDs, the SSIDs and MAC addresses of Wi-Fi networks to which the victims are connected, and also allows operators to run arbitrary shell commands on the victim machine.

Experts believe the OnionPoison campaign is not financially motivated because threat actors did not collect credentials or wallets.

“In this campaign, the attackers use anonymization software to lure targets. Placing a link on a popular YouTube channel makes the malicious Tor Browser installer appear more legitimate to potential targets.” concludes the report. “Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tor Browser)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

7 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

9 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

15 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

17 hours ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

20 hours ago

Threat actors leaked 70,000,000+ records allegedly stolen from AT&T

Researchers at vx-underground first noticed that more than 70,000,000 records from AT&T were leaked on…

1 day ago

This website uses cookies.