A trojanized Windows installation for the Tor Browser is being distributed through a well-known Chinese-language YouTube channel. The campaign, OnionPoison, was named by Kaspersky, and all victims are in China. The scope of the assault is yet unknown, but the Russian cybersecurity firm reported that in March 2022, victims began to show up in its telemetry.
A link found in the description of a movie posted to YouTube on January 9, 2022, is used to spread the malicious version of the Tor Browser installation. So far, more than 64,500 people have watched it. The channel that is showing the video claims to be headquartered in Hong Kong and has 181,000 members. As of this writing, the social networking platform still allows users to see the video.
The attack makes use of the fact that the legitimate Tor Browser website is prohibited in China to fool users into downloading the malicious copy when they are only looking for ” Tor浏览器” (the word for Tor Browser in Chinese) on YouTube. A 74MB executable intended to store users’ browser histories and data submitted into website forms is shown when a user clicks the link.
“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server,” said Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin.
This is done via the armed freebl3.dll library making contact with a remote server, which replies with a second-stage payload containing the spyware, but only if the victim’s IP address is Chinese. The spyware module also has the ability to conduct arbitrary shell commands on the victim’s computer and exfiltrate a list of installed programs and active processes, browser histories, WeChat and QQ account IDs, and browsing histories.
The command-and-control server (torbrowser[.]io) is unique since it looks just like the original Tor Browser website and has download buttons that take users to the official Tor Browser portal. The development is similar to another operation where YouTube videos with links to harmful archive files delivering information thieves and cryptocurrency miners are shown to players searching for cheats and cracks. The compromised channels have now been deleted by Google.