Cybercrime , Fraud Management & Cybercrime

Malicious Tor Browser Fleeces Darknet Users of Bitcoins

Cybercriminals Have Stolen About $40,000 So Far, Researchers Say
Malicious Tor Browser Fleeces Darknet Users of Bitcoins

A newly uncovered criminal scheme is using a trojanized version of the anonymized Tor browser to fleece darknet users of their bitcoins, according to research released Friday from security firm ESET.

See Also: Supporting Malware Analysis at Scale

Between 2017 and 2018, the unknown criminal gang advertised the webpages of this trojanized Tor browser using spam messages on various Russian-language forums. Over several months, these webpages received about 500,000 page views, with the gang able to collect about $40,000 in stolen bitcoins through the scheme, the ESET researchers say.

Using the anonymizing Tor browser is essential for those users that want to reach these various darknet and dark market websites. These sites typically only accept payment in pseudonymizing cryptocurrency such as bitcoin.

In the case that ESET researchers uncovered, the cybercriminals advertised their malicious Tor browser on various Russian-language forums as well as Pastebin. As part of the ruse, the gang advertised their offering as the "official Russian language version of the Tor Browser," according to ESET.

As part of the scam, the criminal gang used two domains, "tor-browser[.]org" and "torproect[.]org," which were similar to the official Tor project domain, the report notes. In the one case, the "j" was missing, ESET researcher found.

"For Russian-speaking victims, the missing letter might raise no suspicion due to the fact that 'torproect' looks like a transliteration from the Cyrillic," according to the research note.

Spamming Tor Users

This particular scam starts with spam messages sent to Tor browser users who are mainly Russian speaking, according to ESET. These messages contain various topics related to darknet and other underground forums, including information about cryptocurrencies, internet privacy and censorship, ESET found.

In some cases, these messages mention Roskomnadzor, a Russian government entity that is known for censorship, according to ESET.

These spam messages also contain links back to the phony webpages that resemble official Toj project, but are actually controlled by the criminal gag, ESET finds. It's there that the users are encouraged to download an updated version of Tor, which is actually the trojanized version of the application created by the gang.

Spoofed page advertising the trojanized Tor browser (Source: ESET)

The malicious browser is actually based on Tor Browser 7.5 - a version of the app released in January 2018. "Thus, non-technically-savvy people probably won't notice any difference between the original version and the trojanized one," the ESET researchers say.

Trojan Browser

The trojanized Tor browser works much like the real version of the browser. The difference, however, is that the cybercriminals changed some default browser settings and extensions, ESET researcher say.

The changes prevent the user from updating the trojanized version of Tor to the legitimate one. In addition, the malicious version has changes to the xpinstall.signatures.required setting, which then allows the gang make additional add-on.

Finally, the HTTPS Everywhere add-on has been tampered with, which then allows the trojanized browser to connect to a command-and-control server hosted on the darknet, ESET finds.

If the users attempts to make purchases on one of three Russian-language darknet forums, the command-and-control server will send out JavaScriptbased payload that alters settings on the target's digital currency wallet, and the transfers bitcoins to the attackers, ESET found.

This same transfer process also happens if the target attempts to use QIWI, a Russian money transfer service.

While ESET researchers believe that the malicious pages that host the trojanized Tor bowser have been visited about a half million times over the last several years, it's not clear if this all the activity associated with this particular criminal scheme, and the amount of cryptocurrency stolen could be much higher.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.