Russians and people in Eastern Europe are the targets of an increase in trojanized Tor Browser installations that hijack clipboards to capture cryptocurrency transactions. Although this attack is not especially innovative or novel, Kaspersky scientists caution that it is nevertheless widespread and successful, infecting numerous people throughout the globe. Even while these malicious Tor installers target various nations, Kaspersky claims that the majority mostly target Russia and Eastern Europe.
“We relate this to the ban of Tor Project’s website in Russia at the end of 2021, which was reported by the Tor Project itself,” clarifies Kaspersky. “According to the latter, Russia was the second largest country by number of Tor users in 2021 (with over 300,000 daily users, or 15% of all Tor users).”
The Tor Browser is a customized web browser that enables anonymous online browsing by obscuring users’ IP addresses and encrypting their communications. Tor may also be used to access unique onion domains, commonly referred to as the “dark web,” which are inaccessible via conventional browsers or ordinary search engines and are only accessible through Tor. Owners of cryptocurrencies may employ the Tor browser to increase their privacy and anonymity while transacting with cryptocurrencies or to access illicit dark web market services that accept cryptocurrency payments.
Trojanized to prevent users from downloading the official version, Tor installations are frequently marketed as “security-strengthened” variations of the official vendor, Tor Project. According to Kaspersky, these installers include a regular, albeit frequently out-of-date, Tor browser in addition to an additional application that is concealed within a password-protected RAR package that is configured to self-extract on the user’s device. The installers feature language packs that let users choose their chosen language, and they are also localized with names like “torbrowser_ru.exe.”
The package extracts the malware in the background, executes it as a new process, and registers it for system autostart while the default Tor browser is started in the front. Additionally, the virus conceals itself on the compromised PC by using an uTorrent icon. Based on information from users of its security products, Kaspersky has discovered 16,000 variations of these Tor installers between August 2022 and February 2023 in 52 countries. The United States, Germany, France, China, the Netherlands, and the UK have also been considered as targets, albeit the majority are Russia and Eastern Europe.
It is typical to copy bitcoin addresses to the clipboard before pasting them into another software or webpage since they are lengthy and difficult to enter. Using regular expressions, the malware scans the clipboard for identifiable crypto wallet addresses, and when one is found, it replaces it with a related cryptocurrency address controlled by the threat actors. The threat actor’s address will be pasted instead of the user’s cryptocurrency address when the user copies and pastes, giving the attacker access to the transmitted transaction.
According to Kaspersky, the threat actor chooses thousands of addresses at random from a hardcoded list for each malware copy. Tracking, reporting, and banning wallets are difficult as a result. The cybersecurity firm discovered that they had stolen about $400,000, excluding Monero, which cannot be tracked, after unpacking hundreds of malware copies, they had amassed to extract the replacement addresses. There are very definitely more campaigns employing trojanized installers for various applications, however, this money was only taken from one campaign run by a particular malware producer.
To protect yourself against clipboard hijackers, install software exclusively from reliable/official sources, in this example, the Tor Project website. Copy and paste the following address into Notepad to see whether you have been infected by a clipper: bc1heymalwarehowaboutyoureplacethisaddress. If it is altered, your system is vulnerable.
