Cybercrime researchers discovered a so-called “trojanized version” of the Tor Browser responsible for stealing $40,000 from users of Russian darknet markets. The infected version of the browser is being distributed through darkweb forums via posts about darknet markets, crytpocurrency, and bypassing censorship.
According to researchers at ESET, the actors behind the campaign have been directing users to one of three domains that mimic the Tor Project's official website, torproject.org. One example looks very similar to the official domain: torproect.org (note the missing “j”). The fake Tor Project website contains descriptions of the Tor Browser as well as a link to download the modified version of the browser. The link is distributed from tor-browser.org.
The browser is responsible for the theft of roughly $40,000 at the time of writing.
Here are three claims made about the fake browser, translated from Russian automatically:
- If you want to surf darknet not to fear for your safety, then this most protected tor browser is for you!
- If you are tired of unsolvable captcha and constant lags of an ordinary browser tor, it's time to upgrade to our upgraded browser.
- You can not doubt the security of this browser, all traffic is wrapped in a torus, including the recaptcha solver.
All of the pastes from the four different accounts were viewed more than 500,000 times. However, it’s not possible for us to say how many viewers actually visited the websites and downloaded the trojanized version of the Tor Browser.
The fake version of the browser is based on Tor Browser 7.5 and is a fully functioning browser. The ESET researchers wrote that the binary is exactly the same as the official browser. The most significant change is to the Firefox
Like the phishing proxies currently stealing funds from users of Empire Market, the fake Tor Browser swaps the deposit addresses on three Russian darkweb markets. Instead of seeing the Bitcoin address of their marketplace wallet, users see one of three Bitcoin addresses controlled by the actors responsible for this campaign.
“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” ESET researchers explained.
For more details, visit the report by ESET researchers on the welivesecurity website.