A common Chinese-language YouTube channel has emerged as a usually means to distribute a trojanized variation of a Windows installer for the Tor Browser.
Kaspersky dubbed the campaign OnionPoison, with all of the victims situated in China. The scale of the attack remains unclear, but the Russian cybersecurity firm claimed it detected victims showing up in its telemetry in March 2022.
The malicious version of the Tor Browser installer is being dispersed via a backlink current in the description of a video clip that was uploaded to YouTube on January 9, 2022. It has been considered more than 64,500 instances to date.
The channel hosting the online video has 181,000 subscribers and statements to be dependent in Hong Kong. The video clip is nevertheless out there to look at on the social media platform as of producing.
The attack financial institutions on the point that the real Tor Browser site is blocked in China, therefore tricking unsuspecting customers seeking for “Tor浏览器” (i.e., Tor Browser in Chinese) on YouTube into perhaps downloading the rogue variant.
Clicking on the backlink redirects the consumer to a 74MB executable that, the moment put in, is designed to retail outlet users’ searching heritage and data entered into site types.
“Extra importantly, just one of the libraries bundled with the destructive Tor Browser is contaminated with spyware that collects different particular data and sends it to a command-and-manage server,” Kaspersky scientists Leonid Bezvershenko and Georgy Kucherin said.
The malicious freebl3.dll library achieves this by creating make contact with with a remote server that responds back again with a second-stage payload containing the spyware, but only when the IP deal with of the sufferer originates from China.
The spyware module further more supplies the operation to exfiltrate a record of set up software program and working processes, browser histories, victims’ WeChat and QQ account IDs, in addition to executing arbitrary shell instructions on the sufferer device.
What’s notable about the command-and-manage server (torbrowser[.]io) is that it truly is a visible duplicate of the authentic Tor Browser internet site and its down load back links direct to the genuine Tor Browser web page.
The progress echoes yet another campaign in which avid gamers looking for cheats and cracks on YouTube are getting directed to video clips that contains backlinks to a malicious archive file distributing information stealers and crypto miners. Google has because terminated the hacked channels.
The Hacker News has attained out to the internet giant for comment regarding the hottest results, and we will update the tale if we hear again.
Found this post interesting? Abide by THN on Facebook, Twitter and LinkedIn to browse a lot more exclusive material we publish.
Some parts of this report are sourced from: