Kaspersky cybersecurity researchers have discovered multiple infections through a malicious TOR browser installer. The campaign is dubbed OnionPoison, and the installer is being distributed via a Chinese-language YouTube video about the dark web.
The channel boasts over 180,000 subscribers, whereas the video’s view count has exceeded 64,000. It is a damaging discovery for TOR browser users as it is an anonymity-based browser, serving as a gateway to the Dark Web.
What Tor Browser Actually is?
The Tor Browser is a free and open-source web browser that is based on the Mozilla Firefox web browser. The Tor Browser is designed to protect your privacy and anonymity when using the internet.
The Tor Browser routes your internet traffic through a network of servers, making it difficult for anyone to track your online activity. The Tor Browser is available for Windows, macOS, and Linux.
Tor is short for “The Onion Router”. The Tor network was originally developed by the US Naval Research Laboratory as a way to securely communicate between government agencies.
The Tor network consists of a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. This makes it difficult for anyone to track your online activity or identify your location.
The TOR-China Connection.
It is worth noting that the Tor browser is banned in China, therefore Chinese residents often resort to innovative ways of downloading it. They mainly access third-party websites for this purpose. Hence, they are more likely to be tricked into downloading the malicious installer. What’s worse, most impacted users are also based in China.
Difference Between Original and Malicious TOR Installers.
This modified version’s link was posted in January 2022 on a channel that promotes internet anonymity. It is a Chinese-language channel, and the installer was hosted on a Chinese cloud-sharing service.
The difference between the real and modified version was the digital signature, which was missing from the malicious file, and some files were also different from the original. And the version assessed by Kaspersky has less private configuration than the original software.
Kaspersky Warns about Malicious YouTube Video.
As per Kaspersky’s advisory, the shady YouTube video is spreading a modified version of the TOR browser capable of collecting sensitive data from users in China. This includes internet history and data the user enters into website forms.
The browser collects the data and hides spyware in an accompanying library, which further collects data like computer name and user’s name, location, and MAC addresses of network adapters. Later, it transmits this information to a C2 server.
Furthermore, it boasts an embedded functionality for executing shell commands, giving the attacker complete control over the device. The video’s description bar gives the link to the infected TOR browser version.
The scammers seem interested in collecting victims’ personal details like social network IDs, Wi-Fi networks, and browsing histories to track them down and discover their identities.
Researchers are warning individuals and companies against using third-party website for downloading software to prevent becoming targets of scammers. It is essential to verify the installers’ authenticity before downloading software that cannot be accessed from official websites. Most importantly, constantly assess digital signatures before installing any app/software.
How to Download Tor Browser?
The Tor Browser, as we know it, is available for Windows, macOS, Linux, and Android. To download the Tor Browser, visit the official website at Torproject.org Once you’re on the website, click “Download Tor Browser.” Then, select the appropriate version for your operating system and follow the prompts to complete the installation.
Once you have the Tor Browser installed, launch it and click “Connect.” That’s it! You’re now browsing anonymously. Keep in mind that because Tor encrypts your traffic, your internet speeds may be slower than usual. But rest assured that your privacy and security are well worth the trade-off.