Cybersecurity company Kaspersky has discovered a modified version of the Tor browser that is said to be collecting sensitive data of Chinese users.
The data collected by the browser itself includes internet history and data entered into website forms, the threat hunter said. Additional spyware was hidden in an accompanying library that collected additional data, including computer name and location, username, and network adapter MAC addresses, before sending it to a command-and-control server.
The icing on the cake is embedded functionality to execute shell commands, giving the attacker full control over the machine. The Tor browser is designed for anonymity and allows the use of the dark web. While some of the activities it enables are illegal, they are often used for legitimate purposes as well. However, it is blocked in China.
Because of this, Chinese residents sometimes resort to creative ways to download it, usually from third-party websites. In the case of the malicious version found by Kaspersky, a link was posted on a YouTube channel in January 2022, which advocates internet anonymity in Chinese.
YouTube is also banned in China, although people can access the site using a VPN.
The Tor project offers some tips on using the product in China and begins emailing it for an updated version of the Tor browser. for the record, the reg does not endorse this or breaking any laws in China.
“We decided to christen this campaign ‘OnionPoison’ and name it after the onion routing technique used in the Tor browser,” Kaspersky said. Onion routing earns its name as it is a method of encapsulating messages in layers of encryption, as if the messages were the center of an onion.
Kaspersky confirmed that the threat actors were targeting victims in China as attempts to communicate with the C2 server and fetch a second stage DLL only worked when a Chinese IP address was spoofed. It is also difficult to access with automated malware analysis sandboxes.
“Oddly, unlike common thieves, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they collect data that can be used to identify victims, such as: B. browsing histories, social network account IDs, and Wi-Fi networks,” said Kaspersky.
“The attackers can scan the exfiltrated browser histories for traces of illegal activity, contact victims via social networks and threaten to report them to the authorities,” the cybersecurity firm added.
Modified Tor browsers are not new, they have been used by attackers in the past and law enforcement agencies have been accused of using them as well.
“Regardless of the actor’s motives, the best way to avoid infection with OnionPoison implants is always to download software from official websites,” Kaspersky warned. “If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures.” ®
https://www.theregister.com/2022/10/05/tor_browser_china_spy_kasperksy_research/ Modified version of Tor browser “spies on Chinese users” • The Register