During regular threat hunting activities, Kaspersky identified malicious Tor Browser installers. According to their telemetry, all the victims targeted by these installers are located in China. Because the Tor Browser website is blocked, individuals from China have to download Tor from third-party websites. Somebody posted a malicious Tor installer link on a popular Chinese-language YouTube channel dedicated to internet anonymity. The description offers a link to the malicious Tor Browser installer in a screenshot of the video. More than 180,000 people subscribe to the channel, and the video with the malicious link has a view count of over 64,000. According to Kaspersky, the malicious campaign started in March 2022, following the posting of the video in January.
The authorised Tor Browser is of course configured to be more private than the malicious one. The infected Tor Browser stores browsing history and data entered into web pages in addition to the original one. The malicious Tor Browser includes spyware that collects personal information from a variety of libraries and sends it to a command and control server. In addition to spying on victim machines, the spyware can also execute shell commands, giving the attacker full control over the machine.
An initial infection using youtube SEO poisonning
Victims of the OnionPoison campaign may be led to the malicious video through a YouTube search for ‘Tor浏览器’ (Tor Browser in Chinese). The video is listed as the first result for the ‘Tor Browser’ query (Tor Browser in Chinese) using Search Engine Poisoning. It contains two links:
- one directs users to the official Tor Browser website
- another directs users to a malicious Tor Browser installer executable hosted on a Chinese cloud-sharing service.
Since China forbids the Tor website, chinese users must navigate to the cloud-sharing service to download the browser.
The intrusion vector is very interesting, as a lot of threat actor rely on phishing to infect their target. Yet, here, an alternative social engineering vector has been exploited. All detections of the OnionPoison campaign appear to be geographically located in China, based on Kaspersky research.
Malware attacks on the Tor Project
The threat actor uses anonymization software to lure targets. They planted a link on a popular YouTube channel. Unlike common stealers, OnionPoison implants do not automatically collect users’ passwords, cookies, or wallets. Rather, they gather data, such as browsing histories, social media account numbers, and Wi-Fi networks, that can be used to identify victims.
The attackers can use the stolen browser history data to identify victims, contact them through social networks, and threaten to report them to authorities if they have committed illegal activities. In the past, law enforcement agencies, such as the FBI, have used 0-days to identify Tor users involved in darknet cybercrime. A similar case involved the distribution of OnionDuke malware through injections on unencrypted HTTP connections on TOR exit nodes.
It is important to always download software from official websites in order to avoid becoming infected with OnionPoison implants. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by checking their cryptographic signatures. The best way to avoid infection with OnionPoison implants regardless of the actor’s motives is to always download software from official websites. A genuine installer should bear a valid signature. The company name indicated in its certificate should match the name of the software creator. To download the official and latest version of Tor Browser, always download it from the official Tor Project page.
Cyberespionage campaign are a vicious danger. Unlike ransomware attacks, they do not take immediate effect and are less visible. Yet they can have huge impact on privacy and personal safety.