A surge of trojanized Tor Browser installers targets Russians and Japanese Europeans with clipboard-hijacking malware that steals contaminated customers’ cryptocurrency transactions.
Kaspersky analysts warn that whereas this assault shouldn’t be new or notably inventive, it is nonetheless efficient and prevalent, infecting many customers worldwide.
Whereas these malicious Tor installers goal international locations worldwide, Kaspersky says that the majority are focusing on Russia and Japanese Europe.
“We relate this to the ban of Tor Challenge’s web site in Russia on the finish of 2021, which was reported by the Tor Challenge itself,” explains Kaspersky.
“In line with the latter, Russia was the second largest nation by variety of Tor customers in 2021 (with over 300,000 each day customers, or 15% of all Tor customers).”
Malicious Tor Browser installers
Tor Browser is a specialised net browser that permits customers to browse the online anonymously by hiding their IP deal with and encrypting their site visitors.
Tor might also be used for accessing particular onion domains, in any other case generally known as the “darkish net,” which aren’t listed by customary engines like google or accessible by means of common browsers.
Cryptocurrency holders might use the Tor browser both to boost their privateness and anonymity whereas transacting with cryptocurrencies or as a result of they need to entry unlawful darkish net market companies, that are paid in crypto.
Trojanized Tor installations are sometimes promoted as “security-strengthened” variations of the official vendor, Tor Challenge, or pushed to customers in international locations the place Tor is prohibited, making it more durable to obtain the official model.
Kaspersky says that these installers comprise a typical model of the Tor browser, albeit outdated typically, together with an additional executable hidden inside a password-protected RAR archive set to self-extract on the person’s system.
The installers are additionally localized with names like ‘torbrowser_ru.exe,’ and comprise language packs permitting customers to pick their most popular language.
Supply: Kaspersky
Whereas the usual Tor browser is launched within the foreground, the archive extracts the malware within the background and runs it as a brand new course of whereas additionally registering it on the system autostart. Moreover, the malware makes use of a uTorrent icon to cover on the breached system.
.jpg)
Supply: Kaspersky
Kaspersky has detected 16,000 variants of those Tor installers between August 2022 and February 2023 in 52 international locations, based mostly on information from customers of its safety merchandise.
Whereas the bulk are focusing on Russia and Japanese Europe, they’ve additionally been seen focusing on the USA, Germany, China, France, the Netherlands, and the UK.
Supply: Kaspersky
Clipboard hijacking
As cryptocurrency addresses are lengthy and complex to sort, it is not uncommon to repeat them first to the clipboard after which paste them into one other program or web site.
The malware displays the clipboard for recognizable crypto pockets addresses utilizing common expressions, and when one is detected, replaces it with an related cryptocurrency deal with owned by the risk actors.
When the person pastes the cryptocurrency deal with, the risk actor’s deal with might be pasted as an alternative, permitting the attackers to steal the despatched transaction.
Supply: Kaspersky
Kaspersky says the risk actor makes use of hundreds of addresses on every malware pattern, chosen randomly from a hardcoded record. This makes pockets monitoring, reporting, and banning laborious.
The cybersecurity firm unpacked lots of of malware samples it had collected to extract the substitute addresses and located that they stole virtually $400,000, excluding Monero, which can’t be traced.
Supply: Kaspersky
That is the cash stolen solely from a single marketing campaign operated by a particular malware writer, and there are virtually definitely different campaigns utilizing trojanized installers for various software program.
To remain protected from clipboard hijackers, solely set up software program from reliable/official sources, on this case, the Tor Challenge web site.
A easy take a look at to examine if a clipper has contaminated you is to repeat and paste this deal with to your Notepad: bc1heymalwarehowaboutyoureplacethisaddress.
Whether it is modified, it means your system is compromised.