Visitors of darknet resources become a target of the cybercriminals, who distribute a fake version of the TOR browser that steals cryptocurrency. The program looks for open wallet identifiers on open pages and replaces their addresses.
According to experts who discovered the cyber campaign, using a fraudulent scheme, criminals were able to steal more than $ 40 thousand in digital currency.As the researchers found, a malicious Internet browser spreads through two sites that have consonant with legitimate TOR resources domains. The malicious page displays a message to the visitor about the need to update the browser and offers to download the latest version with a captcha bypass mechanism.
Read also: Rocke Grouping Applies New Detection Bypass Methods
Fraud sites are advertised through the Pastebin web service. In their messages, cybercriminals use a wide range of keywords to drive traffic through common search queries.
“Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Cyrillic version of the software. Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal: tor-browser[.]org, torproect[.]org – for Russian-speaking visitors, the missing “j” may be seen as a transliteration from Cyrillic”, — write BleepingComputer journalists.
Caught by the scammers, a site visitor downloads the Cyrillic-language TOR 7.5 for Windows to his computer, in which the update tools were disabled using the settings, the default User Agent was changed, and one of the plugins was modified.
Experts have found that the HTTPS Everywhere extension includes a JavaScript script that loads an additional script, which will be executed in the context of the current page.
This payload works like a web injection that can interact with the contents of an open page and perform various actions: steal data entered into forms, hide or embed content, display fake messages, etc.
In this case, the malware responds to an attempt to enter user identifiers of the Qiwi payment system or Bitcoin wallet, and instantly changes the address to the one belonging to the attackers.
“When victims add Bitcoin funds to their account, the script jumps in and changes the wallet address with one belonging to the attackers. Since cryptocurrency wallets are a large string of random characters, users are likely to miss the swap”, — report IS experts.
According to experts, since 2017, a total of 4.8 BTC has been received in three bitcoin wallets belonging to attackers, which is equivalent to more than 40 thousand dollars. There are currently no data on fraudulent transactions on Qiwi wallets.
The malicious version of the TOR browser is capable of downloading other modified extensions, as cybercriminals have disabled the mechanism for checking digital signatures of updates for plugins in it. In addition, the program command server, which is located in the onion address space, receives data about pages opened by the victim and is theoretically capable of changing the payload depending on their contents.
