Screenshot of the video with a link to the malicious Tor Browser installer in the description section Initial infection We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. The installation of the malicious Tor Browser is configured to be less private than the original Tor. The video was posted in January 2022, and the campaign’s first victims started to appear in our telemetry in March 2022. The channel has more than 180,000 subscribers, while the view count on the video with the malicious link exceeds 64,000. In our case, a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet. As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third-party websites. According to our telemetry, all the victims targeted by these installers are located in China. While performing regular threat hunting activities, we identified multiple downloads of previously unclustered malicious Tor Browser installers.
0 kommentar(er)
