Replica of the Tor website used to serve malware

A security researcher discovered the Torbundlebrowser.org,web site that is a replica of Tor Project site, but it is used to serve a malware.

The increasing popularity of Tor network is attracting cyber criminals, recently the French security researcher Florent Daigniere discovered a website (torbundlebrowser.org) that is the replica of the original Tor Network but a few differences.

As detailed by the computer science student Julien Voisin in a blog post, the website includes suspicious links to download the Tor software and a Bitcoin address.

The layout and the content is the same of the legitimate website, except for the “Announcement” section on the right side that includes a link to download a “new release” of Tor Browser Bundle (torbrowser-install-3.6.3_en-US.exe). Voisin has downloaded the package and has reverse-engineered its code discovering the presence of a malware with the ILSpy debugger. The student also found several encrypted payloads, the malware allows bad actors to take the control over the infected machine. The attackers can exploit it to steal file, upgrade the malware with additional payloads, execute system commands and execute a huge quantity of operations.

As explained in the blog post, the communication protocol implemented by malware authors is very simple despite it runs on Tor hidden service silkroad6cebts64.onion:24576.

“This is the syntax to say to connect to the CC, and wait for commands:

CONNECT|v1.17117|117|

Where v1.17 is the version number, and 117| is likely a release type identifier, since I found a “slim113” chain in another sample.” States the blog post.

The expert was able also to chat with botmaster which explained that the malware was used to track pedophiles.

“She/he told me that they are a small group (maybe from China) trying to catch pedophiles; by spreading the link to the fake website on pedo-boards, adding that one pedophile was already reported to cybertip (Canadian Centre for Child Protection’s tipline),” said the student.

It is difficult to believe that the botmaster is serving malware to track criminals because he replaced is the donation page the donation link with his own BTC address.

The bad actor is likely an amateur as suggested by the Voisin:

 “It’s code is mostly clean and well-written, but this is not the work of a state nor sophisticated professional black hat group.”

As highlighted by Voisin, Tor users have to be aware of such infection, the unique way to download the Tor Bundle is to take is from the original Tor Project Page and not using the links spread via IRC channels or hacking forums.

Fortunately the web site hasn’t a great visibility and this circumstance limit the extension of the infection.

 “Since the website’s address is not that much “public”, there is little chance that someone stumble upon it. But once one is one it, it’s tricky to see that it’s not the genuine one if you’re not paying attention.”

This case confirms the great interest of cybercrime in Tor Network, in the specific case used to deceive victims with a bogus website and to hide C&C server of botnet designed by webmaster.

Underestimate this technique of attack could be very risky, it is also too easy for novice criminals to arrange similar scams.

Pierluigi Paganini

(Security Affairs – Tor network, cybercrime)