Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their pastebin.com accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.
This newly discovered trojanized Tor Browser has been spreading using two websites that claimed that they distribute the official Russian language version of the Tor Browser. The first such website displays a message in Russian claiming that the visitor has an outdated Tor Browser. The message is displayed even if the visitor had the most up-to-date Tor Browser version.
Figure 1. Fake outdated browser message displayed at torproect[.]orgTranslated to English:
Your anonymity is in danger!
WARNING: Your Tor Browser is outdated
Click the button “Update”
On clicking the “Update Tor Browser” button, the visitor is redirected to a second website with the possibility of downloading a Windows installer. There are no signs that the same website has distributed Linux, macOS or mobile versions.
Figure 2. Fake Tor Browser website with download option
Both these domains – tor-browser[.]org and torproect[.]org – were created in 2014. The malicious domain torproect[.]org domain is very similar to the real torproject.org; it is just missing one letter. For Russian-speaking victims, the missing letter might raise no suspicion due to the fact that “torproect” looks like a transliteration from the Cyrillic. However, it does not look like criminals relied on typosquatting, because they promoted these two websites on various resources.
In 2017 and early 2018 cybercriminals promoted the webpages of the trojanized Tor Browser using spam messages on various Russian forums. These messages contain various topics, including darknet markets, cryptocurrencies, internet privacy and censorship bypass. Specifically, some of these messages mention Roskomnadzor, a Russian government entity for censorship in media and telecommunications.
Figure 3. Example of spam message promoting tor-browser[.]org
Figure 4. Example of spam message promoting torproect[.]orgIn April and March 2018, the criminals started to use the pastebin.com web service to promote both domains related to the fake Tor Browser webpage. Specifically, they created four accounts and generated a lot of pastes optimized for search engines to rank them high for words that cover topics like drugs, cryptocurrency, censorship bypass, and the names of Russian politicians.
The idea behind this is that a potential victim would perform an online search for specific keywords and at some point visit a generated paste. Each such paste has a header that promotes the fake website.
Figure 5. The header of a paste that promotes fake Tor Browser websites
This translates to English:
BRO, download Tor Browser so the cops won’t watch you.
Regular browsers show what you are watching, even through proxies and VPN plug-ins.
Tor encrypts all traffic and passes it through random servers from around the world.
It is more reliable than VPN or proxy and bypasses all Roskomnadzor censorship.
Here is official Tor Browser website:
Tor Browser with anti-captcha:
Save the link
The criminals claim that this version of the Tor Browser has anti-captcha capability, but in fact this is not true.
Figure 6. An example paste with keywords related to the Tor Browser
All of the pastes from the four different accounts were viewed more than 500,000 times. However, it’s not possible for us to say how many viewers actually visited the websites and downloaded the trojanized version of the Tor Browser.
This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.
No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.
Figure 7. The modified settings of the trojanized Tor Browser in extension-overrides.js
The criminals want to prevent victims from updating the trojanized Tor version to a newer version, because in this case it will be updated to a non-trojanized, legitimate version. That’s why they disabled all kinds of updates in the settings, and even renamed the updater tool from updater.exe to updater.exe0.
In addition to the changed update settings, the criminals changed the default User-Agent to the unique hardcoded value:
Mozilla/5.0 (Windows NT 6.1; rv:77777.0) Gecko/20100101 Firefox/52.0
All trojanized Tor Browser victims will use the same User-Agent; thus it can be used as a fingerprint by the criminals to detect, on the server-side, whether the victim is using this trojanized version.
The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons. Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.
Furthermore, the criminals modified the HTTPS Everywhere add-on included with the browser, specifically its manifest.json file. The modification adds a content script (script.js) that will be executed on load in the context of every webpage.
Figure 8. Difference between original manifest.json (left) and modified (right)
Figure 9. The injected script executed in the context of every webpage
Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.
Figure 11. A darknet market profile page with altered bitcoin address
During our investigation we identified three bitcoin wallets that have been used in this campaign since 2017. Each such wallet contains relatively large numbers of small transactions; this suggests that these wallets were indeed used by the trojanized Tor Browser.
Figure 12. Number of transactions and received bitcoin for one of the criminals’ wallets
As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.
This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years.
Indicators of Compromise (IoCs)
ESET detection names
MITRE ATT&CK techniques
|Execution||T1204||User Execution||The trojanized Tor Browser relies on the victim to execute the initial infiltration.|
|Persistence||T1176||Browser Extensions||The trojanized Tor Browser contains a modified HTTPS Everywhere extension.|
|Collection||T1185||Man in the Browser||The trojanized Tor Browser is able to change content, modify behavior, and intercept information using man-in-the- browser techniques.|
|Impact||T1494||Runtime Data Manipulation||The trojanized Tor Browser alters bitcoin and QIWI wallets on darknet market webpages.|