But in 2018 a slew of new offerings and integrations vastly expanded the available tools, making 2019 the year to finally try Tor. In truth, Tor has been relatively accessible for years now, largely because of the Tor Browser, which works almost exactly like a regular browser and does all the complicated stuff for you in the background. Maybe between the nodes, traffic rerouting, and special onion URLs it seems too confusing to be worth the effort. The trojanized Tor Browser alters bitcoin and QIWI wallets on darknet market webpages.You probably know about the digital anonymity service Tor, but for whatever reason you may not actually use it. The trojanized Tor Browser uses Tor onion service in order to download its JavaScript payload. The trojanized Tor Browser is able to change content, modify behavior, and intercept information using man-in-the- browser techniques. The trojanized Tor Browser contains a modified HTTPS Everywhere extension. The trojanized Tor Browser relies on the victim to execute the initial infiltration. Indicators of Compromise (IoCs) ESET detection namesģ3E50586481D2CC9A5C7FB1AC6842E3282A99E08 Domains This has allowed them to steal digital money, unnoticed, for years. Criminals didn’t modify binary components of the Tor Browser instead, they introduced changes to settings and the HTTPS Everywhere extension. This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets. Number of transactions and received bitcoin for one of the criminals’ walletsĪs of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.įigure 12. The only JavaScript payload we have seen targets three of the largest Russian-speaking darknet markets. However, it should be noted that the de-anonymization of a victim is a hard task because the JavaScript payload is running in the context of the Tor Browser and does not have access to the real IP address or other physical characteristics of the victim machine. For example, it can do a form grabbing, scrape, hide or inject content of a visited page, display fake messages, etc. The JavaScript payload works as a standard webinject, which means that it can interact with the website content and perform specific actions. However, that is not the case here: during our research, the JavaScript payload was always the same for all pages we visited. The injected script executed in the context of every webpageĪs the criminals behind this campaign know what website the victim is currently visiting, they could serve different JavaScript payloads for different websites. The modification adds a content script ( script.js) that will be executed on load in the context of every webpage.įigure 9. Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.įurthermore, the criminals modified the HTTPS Everywhere add-on included with the browser, specifically its manifest.json file. The most important change is to the settings, which disable a digital signature check for installed Tor Browser add-ons. Mozilla/5.0 (Windows NT 6.1 rv:77777.0) Gecko/20100101 Firefox/52.0Īll trojanized Tor Browser victims will use the same User-Agent thus it can be used as a fingerprint by the criminals to detect, on the server-side, whether the victim is using this trojanized version. In addition to the changed update settings, the criminals changed the default User-Agent to the unique hardcoded value: That’s why they disabled all kinds of updates in the settings, and even renamed the updater tool from updater.exe to updater.exe0. The criminals want to prevent victims from updating the trojanized Tor version to a newer version, because in this case it will be updated to a non-trojanized, legitimate version. The modified settings of the trojanized Tor Browser in extension-overrides.js
0 Comments
Leave a Reply. |