Fake Tor Browser steals Bitcoin from Dark Web users

Dark Web traders may find the cryptocurrency intended for purchases ending up in the hands of cyberattackers.
Written by Charlie Osborne, Contributing Writer

A covert campaign to deprive Dark Web users of their cryptocurrency has been exposed by researchers. 

The cyberattackers behind the operation have been distributing a malicious version of the Tor Browser, required to access the underbelly of the Internet, for years -- and have included a cryptocurrency stealer as a bonus. 

Entry into the Tor network is a requirement to access underground websites hosted on .onion domains and to capitalize on this need, the fraudulent operators promoted their version of the Tor package on forums and PasteBin as the "official Russian language version of the Tor Browser," during 2017 and 2018, according to ESET

The Trojanized Tor installer is also promoted on two typosquatted websites, tor-browser.org and torproect.org. In Russian, the domains display messages informing visitors their Tor version is outdated and attempt to redirect them to another website containing a Windows-based installer. At present, there is no sign of a malicious macOS, Linux, or mobile version.

If installed, the custom Tor Browser functions in the same way as the legitimate application. However, changes have been made to settings and extensions to covertly disable updates -- even going so far as to rename the updater tool -- and to change the standard User-Agent to a value that can detect the program's use server-side. 

See also: Researchers invent cryptocurrency wallet that eliminates 'entire classes' of vulnerabilities

The xpinstall.signatures.required settings have also been tampered with. The digital signature check implemented by the legitimate Tor service to prevent malicious programs or software that could compromise user safety and anonymity has been disabled, giving attackers carte blanche to modify, change or load add-ons. 

In addition, the HTTPS Everywhere add-on, included by default, has been modified to add a script that loads on every webpage and sends the user's browsing activity directly to a command-and-control (C2) server controlled by attackers.  

Located in the Dark Web, the C2 also hosts a payload designed to be executed in the browser. This JavaScript payload specifically targets three large Russian-speaking Dark Web marketplaces.

CNET: Senator proposes data privacy bill with serious punishments

Purchases made in these marketplaces are usually done so using cryptocurrency such as Bitcoin (BTC) in order to mask the transaction and user's identity. 

If a user visits these domains and tries to make a purchase by adding funds to their wallet, the script activates and attempts to change the wallet address, thereby ensuring funds are sent to an attacker-controlled wallet instead. 

The payload will also try to alter wallet addresses offered by Russian money transfer service QIWI. 

"In theory, the attackers can serve payloads that are tailor-made to particular websites. However, during our research, the JavaScript payload was always the same for all pages we visited," the researchers say.

TechRepublic: Palo Alto Networks discovers new cryptojacking worm mining for Monero

It is not possible to say how widespread the campaign is, but the researchers say that PasteBin pages promoting the Trojanized browser have been visited at least half a million times, and known wallets owned by the cybercriminals have 4.8 BTC stored -- equating to roughly $40,000. 

ESET believes that the actual value of stolen funds is likely to be higher considering the additional compromise of QIWI wallets. 

Whether Russian language-based or not, downloading software from third-party websites rather than official repositories comes with risk. The tactic of tampering with legitimate software for malicious purposes is a popular one, and to mitigate the risk of compromise, you should always check the source of new software downloads.

2018's worst cryptocurrency scams, cyberattacks (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards