However, the malicious installer does not have a digital signature, and some of the files dropped by the malicious installer differ from the ones bundled with the original installer: File name The user interface of the malicious Tor Browser installer is identical to the original one. PE32+ executable (GUI) x86-64, for MS Windows As the original Tor website is banned in China, viewers of the video have to navigate to the cloud sharing service link in order to download the browser.ĭownload page of the malicious Tor Browser installer The malicious installer MD5Ĩ77FE96CDFA6F742E538396B9A4EDB76DD269984BFB41CAD5D545E72CE28FFDE The description of the video contains two links: the first one goes to the official Tor Browser website, while the other leads to a malicious Tor Browser installer executable hosted on a Chinese cloud sharing service. The video heads the list of search results for the ‘Tor浏览器’ (‘Tor Browser’ in Chinese) query. Victims of the OnionPoison campaign likely reach the video with the malicious link after a YouTube search. Screenshot of the video with a link to the malicious Tor Browser installer in the description section Initial infection We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.
The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. The installation of the malicious Tor Browser is configured to be less private than the original Tor. The video was posted in January 2022, and the campaign’s first victims started to appear in our telemetry in March 2022. The channel has more than 180,000 subscribers, while the view count on the video with the malicious link exceeds 64,000. In our case, a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet.
As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third-party websites. According to our telemetry, all the victims targeted by these installers are located in China. While performing regular threat hunting activities, we identified multiple downloads of previously unclustered malicious Tor Browser installers.
0 kommentar(er)
