OnionPoison – Fake TOR installer
Researchers have discovered multiple infections through a malicious TOR browser installer. The campaign is dubbed OnionPoison, and the installer is being distributed via a Chinese-language YouTube video about the dark web.
Over 180,000 subscribers the channel has, whereas the video’s view count has exceeded 64,000. It is a damaging discovery for TOR browser users as it is an anonymity-based browser, serving as a gateway to the Dark Web.
Tor browser is banned in China, therefore Chinese residents find ways to download it. They mainly access third-party websites for this purpose. They are more likely to be tricked into downloading the malicious installer that was posted in beginning of 2022. What’s worse, most impacted users are also based in China.
This particular YouTube video is spreading a modified version of the TOR browser capable of collecting sensitive data from users in China. This includes internet history and data the user enters into website forms.
The browser collects the data and hides spyware in an accompanying library, which further collects data like computer name and user’s name, location, and MAC addresses of network adapters. Later, it transmits this information to a C2 server.
Also, it boasts an embedded functionality for executing shell commands, giving the attacker complete control over the device. The video’s description bar gives the link to the infected TOR browser version.
The scammers are collecting victims’ personal details like social network IDs, Wi-Fi networks, and browsing histories to track them down and discover their identities.
Caution required while using the Open source softwares. Only the authenticated installer from the provider need to be used.