Researchers at Kaspersky have detected a trojanized version of the Window installer for the Tor Browser, that is being distributed through a popular Chinese YouTube channel.
The malware campaign, dubbed OnionPoison allegedly reaches internet users through the Chinese-language YouTube video. The video is providing users with information on ‘staying anonymous online.’
The threat actors attach a malicious URL link to the official Tor website, below the YouTube video. Additionally, adding another link to a cloud-sharing service hosting an installer for Tor was modified to include malicious code.
The YouTube Channel has more than 180,000 subscribers, with the video being on top result for the YouTube query ‘Tor浏览器’ translating to “Tor Browser.” The video, posted on January 2022 had more than 64,000 views at the time of discovery (March 2022), reported Kaspersky.
The malware installs a malicious Tor Browser that is structured to expose user data that involves a list of installed software, browsing history, and data the users may have entered in a website form. The researchers also found that the library bundled with Tor Browser is infected with spyware.
“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it [...] We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.” reads the analysis conducted by Kaspersky.
It is worth mentioning that the Tor browser is banned in China on account of China's extensive internet censorship. As a result, users often access the browser through third-party websites for downloading it. Hence, the users are most likely to be exposed to scams and be deceived into downloading the malicious installer.
It is believed that the intention of the OnionPoison campaign may not be financially motivated as the threat actors did not recover any credentials or wallets.
In regard to this, the researchers are warning China-based users and companies to avoid using third-party websites for downloading software to prevent becoming targets of threat actors.
