• This malicious Tor Browser has been distributed via two fake websites that claim to distribute the official Russian language version of the Tor Browser.
  • Using this trojanized Tor Browser, attackers have stolen 4.8 bitcoin that is worth over US$ 40,000.

What is the issue?

Researchers from ESET have observed a trojanized version of the Tor Browser that steals bitcoins from darknet market users. Using this malicious Tor Browser, attackers have stolen 4.8 bitcoin from three darknet markets, which is worth over US$ 40,000.

The big picture

This malicious Tor Browser has been distributed via two fake websites that claim to distribute the official Russian language version of the Tor Browser.

  • The first website ( torproect[.]org) states that the visitor has an outdated Tor Browser and urges the visitor to update the browser.
  • Upon clicking on the “Update Tor Browser” button, the visitor is redirected to a second website ( tor-browser[.]org). This website potentially downloads a Windows installer.

“Your anonymity is in danger!
WARNING: Your Tor Browser is outdated
Click the button “Update”,” the English translation of the message read.

Researchers noted that both the websites– tor-browser[.]org and torproect[.]org – were created in 2014.

  • In 2017 and early 2018, attackers behind this campaign distributed the websites of the trojanized Tor Browser via spam messages on various Russian forums.
  • In April and March 2018, the attackers started using the pastebin.com web service to distribute both the fake websites.

More details about the Tor Browser

Researchers stated that this fully-functional trojanized Tor Browser is based on Tor Browser 7.5, which was released in January 2018.

  • Attackers behind this malicious Tor Browser have not made any changes to the source code of the Tor Browser, making it look exactly the same as the legitimate Tor Browser.
  • However, the default browser settings and some of the extensions have been updated in the trojanized version.
  • The attackers have disabled any type of updates in the settings and renamed the updater tool from updater.exe to updater.exe0, in order to prevent victims from updating the trojanized Tor version to a newer version, which will lead to a non-trojanized, legitimate version.
  • They’ve also disabled the digital signature check for installed Tor Browser add-ons, which will allow the attackers to modify any add-on.
  • Additionally, the attackers have modified the HTTPS Everywhere add-on included with the browser, specifically its manifest.json file.

“This injected script notifies a C&C server about the current webpage address and downloads a JavaScript payload that will be executed in the context of the current page. The C&C server is located on an onion domain, which means it is accessible only through Tor,” researchers described.

The targets

This campaign has targeted the three largest Russian-speaking darknet markets by modifying QIWI (a popular Russian money transfer service) or bitcoin wallets located on the pages of these markets.

Therefore, once a victim visits the any of these darknet market pages to add funds to the account directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original address to the address controlled by the attackers.

The total amount of received funds for all three wallets is 4.8 bitcoin, which is worth over US$40,000.

“This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years,” researchers concluded.