Tor fake browser steals Bitcoin cryptocurrency from darknet users

Unknown attackers are distributing a version of the Tor browser with malicious code on the Internet. programpositioned as the official Russian version of Tor.

Links to the installation file were posted onvarious forums and sites pastebin.com, tor-browser.org and torproect.org. At the moment, the researchers found the installer for Windows only, so devices based on macOS and Linux were not susceptible to attack.

After installation, Tor works as usual, however,hackers made changes to settings and extensions to disable automatic updates. Attackers also modified the standard User-Agent to track the user's IP. In addition, a script was built into the HTTPS Everywhere add-on that is loaded when each page is opened and sends data on the actions of a person to the criminals server. To do this, fraudsters have disabled the xpinstall.signatures.required option, which checks the digital signatures of the software in order to protect information and anonymity.

Theft of money occurs at the time of transferfunds to the accounts of three Russian-speaking illegal trading floors. JavaScript is integrated into the fake version of the browser, which loads when a user tries to replenish the balance on these marketplaces. The script is activated and changes the address of the Bitcoin wallet or the QIWI account number specified in your account to payment data belonging to the attackers.

Experts cannot determine the exact amountmalware downloads, however, it became known that the Tor page with the Trojan on PasteBin was visited at least 500,000 times. Famous hacker wallets store 4.8 BTC (almost $ 40,000). ESET antivirus developers suggest that the amount of damage is much higher when you consider the money that is in the accounts in QIWI. The idea of ​​the authors of the project can be called an ideal crime, since the victims do not turn to law enforcement agencies, because they themselves violated the law by purchasing illegal goods on the dark.