Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
The malicious version of the Tor browser steals cryptocurrency from users of the darknet markets and monitors the websites they visit. Back in 2017, attackers registered three cryptocurrency wallets, where $ 40,000 in bitcoins were transferred.
According to ESET experts, cybercriminals advertise the malicious version of Tor on the Pastebin website as a “Russian-language version” of the browser. Moreover, advertising publications are optimized in such a way that they stay at the top of the search results for such requests as drugs, cryptocurrency, bypassing blocking and Russian politicians. Potential victims are bribed by cybercriminals by the fact that the advertised version of the browser supposedly allows you to bypass CAPTCHAs.
Another way of spreading malware is spam mailing. Under the guise of the "official Russian version", the malware is downloaded from the tor-browser [.] org and torproect [.] org domains registered in 2014. Site design copied from the current Tor Project site. When a user lands on these sites, regardless of the version of Tor used, a notification is displayed on the screen that the browser is out of date and requires an update.
If the user decides to "update" his browser, a script is loaded onto his system that can modify the page. In particular, it steals content in forms, hides original content, shows fake posts, and adds other content. This allows malware to replace the cryptocurrency wallet in real time, to which the cryptocurrency is being sent. In addition, the script is capable of stealing data from Qiwi wallets.
When a victim deposits cryptocurrency into his account, the script changes the address of his wallet to the address belonging to the attackers. Since cryptocurrency addresses are long strings of random characters, users often don't notice the spoofing.
According to ESET experts, cybercriminals advertise the malicious version of Tor on the Pastebin website as a “Russian-language version” of the browser. Moreover, advertising publications are optimized in such a way that they stay at the top of the search results for such requests as drugs, cryptocurrency, bypassing blocking and Russian politicians. Potential victims are bribed by cybercriminals by the fact that the advertised version of the browser supposedly allows you to bypass CAPTCHAs.
Another way of spreading malware is spam mailing. Under the guise of the "official Russian version", the malware is downloaded from the tor-browser [.] org and torproect [.] org domains registered in 2014. Site design copied from the current Tor Project site. When a user lands on these sites, regardless of the version of Tor used, a notification is displayed on the screen that the browser is out of date and requires an update.
If the user decides to "update" his browser, a script is loaded onto his system that can modify the page. In particular, it steals content in forms, hides original content, shows fake posts, and adds other content. This allows malware to replace the cryptocurrency wallet in real time, to which the cryptocurrency is being sent. In addition, the script is capable of stealing data from Qiwi wallets.
When a victim deposits cryptocurrency into his account, the script changes the address of his wallet to the address belonging to the attackers. Since cryptocurrency addresses are long strings of random characters, users often don't notice the spoofing.
