Researchers have discovered a trojanised version of a Tor private browser that targets Russian-speaking dark web marketplace visitors and lets cyber-criminals steal from their e-wallet transactions.
The developers behind the malicious browser have so far stolen at least $40,000 in bitcoin, although the true number is likely higher. Researchers from ESET discovered a version of the trojanised app that was modified from the legitimate January 2018 release of Tor Browser 7.5. However, the cyber-criminal operation dates back even further to at least 2017, while two malicious domains used to distribute the malware were created way back in 2014, ESET has reported in a blog post authored by company researcher Anton Cherepanov.
The trojanised browser works the same as the authentic version, but with several key changes. While the criminals didn’t tinker with the code, they did change the default browser settings and some extensions. For starters, the malicious actors behind this scheme have disabled a signature check process for installed add-ons. This allows the adversaries to introduce malicious add-ons without having to worry about being flagged by a digital signature check.
Using this payload, the cyber-criminals have targeted users of three of the largest Russian-speaking dark web marketplaces by tampering with e-wallets located on the pages of these markets. The attack works on both conventional bitcoin wallets as well as wallets associated with the Russian money transfer service QIWI. When victims visit their profile page to add funds to their account, the trojanised app switches their intended address to an attacker-controlled address.
The developers of the trojanised app also disabled updates so that users cannot update the browser to a newer, legitimate version of the software.
To encourage downloads of the trojanised app, the cyber-criminals behind it created a pair of Russian language websites. One site falsely states that the visitor’s computer possesses an outdated Tor browser. "Your anonymity is in danger!" the page warns in hopes of persuading the reader to click an "Update" button. Doing so takes the potential victim to the second site from which they download the trojanised browser. That second page’s URL address, torproect[.]org, is just one letter character different from the real torproject.org site.
The cyber-criminals promoted these two web pages via spam messages on various Russian forums that specialise in topics like darknet markets, cryptocurrency, internet privacy and censorship bypass. The malicious actors also created four Pastebin accounts generated various pastes to promote the domains, all of which viewed more than 500,000 times. One such paste said (in Russian), "BRO download Tor Browser so the cops won’t watch you."