Trojanized Tor Browser Steals Users’ Digital Currency

Written by

Researchers have discovered a Trojanized version of the popular Tor Browser, which has already stolen tens of thousands of dollars’ worth of digital currency from users.

Targeted at Russian users, the malicious variant is distributed via spam messages on local forums and in Pastebin posts which have been SEO-d to rank high for users searching for terms including drugs, cryptocurrency, censorship bypass, and Russian politicians, according to Eset.

Two domains registered in 2014 are used to spread the malware; tor-browser[.]org and torproect[.]org. In essence, the package is a version of the popular anonymizing tool from 2018 (v 7.5) with some of its default browser settings and extensions altered to disable updates and ensure the malware authors can modify the product.

The hackers also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed in every webpage.

“The only JavaScript payload we have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets,” explained Eset senior malware researcher, Anton Cherepanov.

“Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the Trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.”

At the time of writing, Eset had discovered at least 500,000 downloads of the Trojanized Tor browser and three bitcoin wallets under the control of the hackers filled with around 4.8 bitcoin ($40,000). However, they are also likely to have generated a pile of QIWI cash from victims.

The scheme takes advantage of the fact that the Putin regime is increasingly pushing Russia to adopt an online censorship apparatus akin to China’s. Earlier this year, Putin signed a new law that could allow the government to cut access to foreign servers.

What’s hot on Infosecurity Magazine?