![\"\"](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2019\/10\/Figure-1-6.png\")
<\/a><\/figure>\n\n\n\nFigure 1. Fake outdated browser message displayed at torproect[.]org<\/em>Translated to English:<\/p>\n\n\n\n Your anonymity is in danger! On clicking the \u201cUpdate Tor Browser\u201d button, the visitor is redirected to a second website with the possibility of downloading a Windows installer. There are no signs that the same website has distributed Linux, macOS or mobile versions.<\/p>\n\n\n\n Figure 2. Fake Tor Browser website with download option<\/em><\/p>\n\n\n\n Both these domains \u2013 tor-browser[.]org and torproect[.]org \u2013 were created in 2014. The malicious domain torproect[.]org domain is very similar to the real torproject.org; it is just missing one letter. For Russian-speaking victims, the missing letter might raise no suspicion due to the fact that \u201ctorproect\u201d looks like a transliteration from the Cyrillic. However, it does not look like criminals relied on typosquatting, because they promoted these two websites on various resources.<\/p>\n\n\n\n In 2017 and early 2018 cybercriminals promoted the webpages of the trojanized Tor Browser using spam messages on various Russian forums. These messages contain various topics, including darknet markets, cryptocurrencies, internet privacy and censorship bypass. Specifically, some of these messages mention Roskomnadzor<\/a>, a Russian government entity for censorship in media and telecommunications.<\/p>\n\n\n\n Figure 3. Example of spam message promoting tor-browser[.]org<\/em><\/p>\n\n\n\n Figure 4. Example of spam message promoting torproect[.]org<\/em>In April and March 2018, the criminals started to use the pastebin.com web service to promote both domains related to the fake Tor Browser webpage. Specifically, they created four accounts and generated a lot of pastes optimized for search engines to rank them high for words that cover topics like drugs, cryptocurrency, censorship bypass, and the names of Russian politicians.<\/p>\n\n\n\n The idea behind this is that a potential victim would perform an online search for specific keywords and at some point visit a generated paste. Each such paste has a header that promotes the fake website.<\/p>\n\n\n\n Figure 5. The header of a paste that promotes fake Tor Browser websites<\/em><\/p>\n\n\n\n This translates to English:<\/p>\n\n\n\n BRO, download Tor Browser so the cops won\u2019t watch you. The criminals claim that this version of the Tor Browser has anti-captcha capability, but in fact this is not true.<\/p>\n\n\n\n Figure 6. An example paste with keywords related to the Tor Browser<\/em><\/p>\n\n\n\n All of the pastes from the four different accounts were viewed more than 500,000 times. However, it\u2019s not possible for us to say how many viewers actually visited the websites and downloaded the trojanized version of the Tor Browser.<\/p>\n\n\n\n This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won\u2019t notice any difference between the original version and the trojanized one.<\/p>\n\n\n\n No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.<\/p>\n\n\n\n Figure 7. The modified settings of the trojanized Tor Browser in extension-overrides.js<\/em><\/p>\n\n\n\n The criminals want to prevent victims from updating the trojanized Tor version to a newer version, because in this case it will be updated to a non-trojanized, legitimate version. That\u2019s why they disabled all kinds of updates in the settings, and even renamed the updater tool from updater.exe to updater.exe0.<\/p>\n\n\n\n In addition to the changed update settings, the criminals changed the default User-Agent to the unique hardcoded value:<\/p>\n\n\n\n Mozilla\/5.0 (Windows NT 6.1; rv:77777.0) Gecko\/20100101 Firefox\/52.0<\/p>\n\n\n\n All trojanized Tor Browser victims will use the same User-Agent; thus it can be used as a fingerprint by the criminals to detect, on the server-side, whether the victim is using this trojanized version.<\/p>\n\n\n\n The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons. Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.<\/p>\n\n\n\n Furthermore, the criminals modified the HTTPS Everywhere add-on included with the browser, specifically its manifest.json file. The modification adds a content script (script.js) that will be executed on load in the context of every webpage.<\/p>\n\n\n\n Figure 8. Difference between original manifest.json (left) and modified (right)<\/em><\/p>\n\n\n\n This injected script notifies a C&C server about the current webpage address and downloads a JavaScript payload that will be executed in the context of the current page. The C&C server is located on an onion domain, which means it is accessible only through Tor.<\/p>\n\n\n\n Figure 9. The injected script executed in the context of every webpage<\/em><\/p>\n\n\n\n As the criminals behind this campaign know what website the victim is currently visiting, they could serve different JavaScript payloads for different websites. However, that is not the case here: during our research, the JavaScript payload was always the same for all pages we visited.<\/p>\n\n\n\n The JavaScript payload works as a standard webinject<\/a>, which means that it can interact with the website content and perform specific actions. For example, it can do a form grabbing, scrape, hide or inject content of a visited page, display fake messages, etc.<\/p>\n\n\n\n However, it should be noted that the de-anonymization of a victim is a hard task because the JavaScript payload is running in the context of the Tor Browser and does not have access to the real IP address or other physical characteristics of the victim machine.<\/p>\n\n\n\n The only JavaScript payload we have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.<\/p>\n\n\n\n Figure 10. The part of the JavaScript payload designed to alter cryptocurrency wallets<\/em><\/p>\n\n\n\n Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.<\/p>\n\n\n\n
WARNING: Your Tor Browser is outdated
Click the button \u201cUpdate\u201d<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\nDistribution<\/h1>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n
Regular browsers show what you are watching, even through proxies and VPN plug-ins.
Tor encrypts all traffic and passes it through random servers from around the world.
It is more reliable than VPN or proxy and bypasses all Roskomnadzor censorship.
Here is official Tor Browser website:
torproect[.]org
Tor Browser with anti-captcha:
tor-browser[.]org
Save the link<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\nAnalysis<\/h1>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nDarknet markets<\/h1>\n\n\n\n
<\/a><\/figure>\n\n\n\n