Login Register

Fake Tor Browser Steals Bitcoin from Russian Darkweb Users

By Alex Nimoy Oct. 19, 2019, 4:36 p.m.
faketor.png

Cybercrime researchers discovered a so-called “trojanized version” of the Tor Browser responsible for stealing $40,000 from users of Russian darknet markets. The infected version of the browser is being distributed through darkweb forums via posts about darknet markets, crytpocurrency, and bypassing censorship.

According to researchers at ESET, the actors behind the campaign have been directing users to one of three domains that mimic the Tor Project’s official website, torproject.org. One example looks very similar to the official domain: torproect.org (note the missing “j”). The fake Tor Project website contains descriptions of the Tor Browser as well as a link to download the modified version of the browser. The link is distributed from tor-browser.org.

Here are three claims made about the fake browser, translated from Russian automatically:

If you want to surf darknet not to fear for your safety, then this most protected tor browser is for you!

If you are tired of unsolvable captcha and constant lags of an ordinary browser tor, it’s time to upgrade to our upgraded browser.

You can not doubt the security of this browser, all traffic is wrapped in a torus, including the recaptcha solver.

The fake version of the browser is based on Tor Browser 7.5 and is a fully functioning browser. The ESET researchers wrote that the binary is exactly the same as the official browser. The most significant change is to the Firefox xpinstall.signatures.required settings that allow the installation of unsigned and potentially malicious add-on. They modified the HTTPS Everywhere add-on to inject javascript into every page viewed by the victim.

This injected script notifies a C&C server about the current webpage address and downloads a JavaScript payload that will be executed in the context of the current page. The C&C server is located on an onion domain, which means it is accessible only through Tor.

As the criminals behind this campaign know what website the victim is currently visiting, they could serve different JavaScript payloads for different websites. However, that is not the case here: during our research, the JavaScript payload was always the same for all pages we visited.

The JavaScript payload works as a standard webinject, which means that it can interact with the website content and perform specific actions. For example, it can do a form grabbing, scrape, hide or inject content of a visited page, display fake messages, etc.

Like the phishing proxies currently stealing funds from users of Empire Market, the fake Tor Browser swaps the deposit addresses on three Russian darkweb markets. Instead of seeing the Bitcoin address of their marketplace wallet, users see one of three Bitcoin addresses controlled by the actors responsible for this campaign.

3338V5E5DUetyfhTyCRPZLB5eASVdkEqQQ
3CEtinamJCciqSEgSLNoPpywWjviihYqrw
1FUPnTZNBmTJrSTvJFweJvUKxRVcaMG8oS

Do you find this content interesting?
Let us know by leaving a comment and a rating.

Also, don't forget to follow our Official Telegram Channel to stay informed and safe by Reading  NOIRdotNEWS

0 Comments

Please visit our onion version to comment.