Cybersecurity biz Kaspersky has spotted a modified version of the Tor Browser it says collects sensitive data on Chinese users.
The data collected by the browser itself includes internet history and data entered into website forms, said the threat hunter. More spyware was hidden in an accompanying library that collected further data, including computer name and location, user name, and MAC addresses of network adapters, before sending it to a command and control server.
The icing on the cake is an embedded functionality to execute shell commands, thus giving the attacker full control over the machine. The Tor Browser is designed for anonymity and enables use of the dark web. While some of the activity it facilitates is illegal, it is also often used for legitimate purposes. However, it is blocked in China.
Which is why Chinese residents sometimes resort to creative ways of downloading it, usually from third-party websites. In the case of the malicious version found by Kaspersky, a link was posted in January 2022 on a YouTube channel that advocates internet anonymity in the Chinese language.
YouTube is also banned in China, though people can access the site through a VPN.
The malicious Tor Browser installer was hosted on a Chinese cloud sharing service and appears identical in terms of user interface to the authentic one. However, it did not have a digital signature and some of the files obviously differed from the original, said Kaspersky.
The Tor project does offer some tips on using the product while in China and it begins with emailing it for an updated version of Tor Browser. For the record, The Reg is not advocating doing this nor for breaking any laws in China.
“We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser,” said Kaspersky. Onion routing earned its name as it is a method for encapsulating messages in layers of encryption as if the messages are the center of an onion.
Kaspersky confirmed the threat actors were targeting victims in China as attempts to communicate with the C2 server and retrieve a second stage DLL only worked when faking a Chinese IP address. It is also difficult to access using automated malware analysis sandboxes.
“Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks,” said Kaspersky.
“The attackers can search the exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities,” added the cybersecurity company.
Modified Tor Browsers are not new, they’ve been used by attackers in the past and law enforcement has been accused of deploying them as well.
“Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites,” warned Kaspersky. “If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures.” ®