Kaspersky threat analysts have unearthed multiple infections via malicious Tor Browser installers propagated via a Chinese-language YouTube video regarding the dark web.
Dubbed OnionPoison, the malicious campaign targeted users located in China, where the Tor Browser is banned. Hence, internet users in China often attempt to download the Tor browser from third-party websites.
“Most of the affected users were from China,” Kaspersky Leonid Bezvershenko and Georgy Kucherin said in findings published this week. “As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third–party websites. And cybercriminals are keen on spreading their malicious activity via such resources.”
The Chinese-language YouTube channel has more than 180,000 subscribers, and the video has been viewed more than 64,000 times. It is a major setback damaging discovery for TOR browser users as it is an anonymity-based browser, employed as a gateway to the Dark Web.
The Chinese residents use the browser to bypass Beijing’s extensive surveillance and censorship technologies, which are linked with the country’s strict intolerance of political dissent.
Tor, named for The Onion Router, was originally designed by the US Naval Research Laboratory as a way to securely communicate between government agencies. It includes a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels.
The researchers warn that the trojanized version of the browser acts differently from the normal version by storing browsing history and data entered into website forms. It also includes a library compromised with spyware that allows the hackers to scan “exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”
The best way to avoid OnionPoison is to download Tor from the official website or, if that’s not viable, to scan digital the digital signature if it’s from a third-party site.
“Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures,” the researchers added.
Modified Tor versions have been employed previously by nation-state hackers. In 2019, security experts at the Slovakian-based cybersecurity firm ESET unearthed a version designed to siphon cryptocurrency from Russian residents.