Jump to content

Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users


SwissMiss
 Share

Recommended Posts

Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users

Malicious-Tor.jpg

 

A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit.

 

More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency.

Careful impersonation

The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians.

 

Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software.

 

Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal:

  • tor-browser[.]org
  • torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic

Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run.

 

TrojanizedTor0-ESET.png

 

Translated into English, the message reads:

 

"Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update"

 

In Pastebin messages, the cybercriminals advertise that users would benefit from anti-captcha feature allowing them to get faster to the destination.

 

This is not true, though. Underneath this Tor Browser impersonator is version 7.5 of the official project, released in January 2018.

Getting the cryptocurrency

The downloaded script can modify the page by stealing content in forms, hiding original content, showing fake messages, or add its own content.

 

These capabilities allow the script to replace in real-time the destination wallet for cryptocurrency transactions. The JavaScript observed by ESET does exactly this.

 

TrojanizedTor2-ESET.png

 

The targets are users of the three largest Russian-speaking darknet markets, the researchers say. For the payload they observed (image above), the script also alters the details for the Qiwi payment service provider.

 

When victims add Bitcoin funds to their account, the script jumps in and changes the wallet address with one belonging to the attackers.

 

Since cryptocurrency wallets are a large string of random characters, users are likely to miss the swap.

 

TrojanizedTor3-ESET.png

Darknet profile with altered Bitcoin address

 

At the moment of publishing, the three cryptocurency wallets controlled by the attackers recorded 863 transactions. These are small transfers, supporting the theory that the funds came via the trojanized Tor Browser.

 

One of them received more than $20,000 from over 370 transactions. The largest balance, though, is currently around $50 in one wallet and less than $2 in the other two.

 

TrojanizedTor4-ESET.png

 

The three wallets have been used for this purpose since 2017, the researchers found. Although the amount of Bitcoins that passed through these wallets is 4.8, the total proceedings for the attackers is likely higher because Qiwi payment details are also altered.

 

 

 

Source: Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...