Fake Tor Browser Steals Bitcoin from Russian Darkweb Users
Cybercrime researchers discovered a so-called “trojanized version” of the Tor Browser responsible for stealing $40,000 from users of Russian darknet markets. The infected version of the browser is being distributed through darkweb forums via posts about darknet markets, crytpocurrency, and bypassing censorship.
According to researchers at ESET, the actors behind the campaign have been directing users to one of three domains that mimic the Tor Project’s official website, torproject.org. One example looks very similar to the official domain: torproect.org (note the missing “j”). The fake Tor Project website contains descriptions of the Tor Browser as well as a link to download the modified version of the browser. The link is distributed from tor-browser.org.
The browser is responsible for the theft of roughly $40,000 at the time of writing.
A screenshot of the fake Tor Browser website
Here are three claims made about the fake browser, translated from Russian automatically:
- If you want to surf darknet not to fear for your safety, then this most protected tor browser is for you!
- If you are tired of unsolvable captcha and constant lags of an ordinary browser tor, it’s time to upgrade to our upgraded browser.
- You can not doubt the security of this browser, all traffic is wrapped in a torus, including the recaptcha solver.
https://pastebin.com/a5152Bia
A screenshot of one of the Pastebin
All of the pastes from the four different accounts were viewed more than 500,000 times. However, it’s not possible for us to say how many viewers actually visited the websites and downloaded the trojanized version of the Tor Browser.
The fake version of the browser is based on Tor Browser 7.5 and is a fully functioning browser. The ESET researchers wrote that the binary is exactly the same as the official browser. The most significant change is to the Firefox xpinstall.signatures.required settings that allow the installation of unsigned and potentially malicious add-on. They modified the HTTPS Everywhere add-on to inject javascript into every page viewed by the victim.
Another screenshot of the fake Tor Browser website
This injected script notifies a C&C server about the current webpage address and downloads a JavaScript payload that will be executed in the context of the current page. The C&C server is located on an onion domain, which means it is accessible only through Tor.
As the criminals behind this campaign know what website the victim is currently visiting, they could serve different JavaScript payloads for different websites. However, that is not the case here: during our research, the JavaScript payload was always the same for all pages we visited.
The JavaScript payload works as a standard webinject, which means that it can interact with the website content and perform specific actions. For example, it can do a form grabbing, scrape, hide or inject content of a visited page, display fake messages, etc.
Like the phishing proxies currently stealing funds from users of Empire Market, the fake Tor Browser swaps the deposit addresses on three Russian darkweb markets. Instead of seeing the Bitcoin address of their marketplace wallet, users see one of three Bitcoin addresses controlled by the actors responsible for this campaign.
- 3338V5E5DUetyfhTyCRPZLB5eASVdkEqQQ
- 3CEtinamJCciqSEgSLNoPpywWjviihYqrw
- 1FUPnTZNBmTJrSTvJFweJvUKxRVcaMG8oS
One of the Bitcoin addresses controlled by the browser distributor
“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” ESET researchers explained.
For more details, visit the report by ESET researchers on the welivesecurity website.