ESET researchers discover a trojanized Tor Browser that cybercriminals use to steal bitcoins from darknet market buyers
BRATISLAVA, October 18, 2019 – ESET researchers have discovered a campaign, running unnoticed for many years, that distributed a trojanized version of the official Tor Browser package, using it to spy on its users and steal bitcoins from them.
“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills in to forms and display fake messages, among other activities. However, we have seen only one particular functionality – changing the cryptocurrency wallets,” said Anton Cherepanov, ESET senior malware researcher, who conducted the research.
The campaign has been targeted at Russian-speaking users of the anonymous Tor network. To distribute the malware-laden browser, the criminals promoted it – on various forums, and on pastebin.com – as the official Russian language version of the Tor Browser. Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites.
“At the first website, the user received a warning that their Tor Browser was outdated – regardless of the reality. Those who took this bait were redirected to a second website with an installer,” said Cherepanov.
Following installation, the trojanized Tor Browser is a fully functional application. “The criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and extensions. As a result, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one,” said Cherepanov.
Among these changes, all kinds of updates in the settings are disabled, and the updater tool is renamed to prevent the user from updating, which would mean losing the capabilities needed by the criminals.
Digital signature checks for add-ons are also disabled, allowing the attackers to modify any add-on and have it seamlessly loaded by the browser.
The criminals also made changes that notify a C&C server – which is located on an onion domain, and thus, accessible only through Tor – about the current webpage the victim is visiting and serve the browser a JavaScript payload. “In theory, the attackers can serve payloads that are tailor-made to particular websites. However, during our research, the JavaScript payload was always the same for all pages we visited,” said Cherepanov.
The JavaScript payload ESET researchers have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages from these markets.
Once a victim visits their profile page in order to add funds to their account, directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original bitcoin address with the address controlled by criminals.
“During our investigation, we identified three bitcoin wallets that have been used in this campaign since 2017. Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanized Tor Browser,” said Cherepanov.
At the time ESET researchers concluded their research, the total amount of received funds for all three wallets was 4.8 bitcoin, which corresponds to approximately 40,000 US dollars. “It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” said ESET’s Anton Cherepanov.
For more details, read the blog post “Fleecing the onion: Darknet shoppers swindled out of bitcoins via trojanized Tor Browser,” and make sure to follow ESET research on Twitter.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single ‘in-the-wild’ malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.