ESET discovers campaign stealing bitcoins from darknet users
ESET researchers have discovered a campaign running unnoticed for many years, that distributed a trojanised version of the official Tor Browser package, using it to spy on its users and steal bitcoins from them.
"This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills in to forms and display fake messages, among other activities," says ESET senior malware researcher Anton Cherepanov, who conducted the research.
"However, we have seen only one particular functionality – changing the cryptocurrency wallets.
The campaign has been targeted at Russian-speaking users of the anonymous Tor network.
To distribute the malware-laden browser, the criminals promoted it – on various forums, and on pastebin.com – as the official Russian language version of the Tor Browser.
Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites.
"At the first website, the user received a warning that their Tor Browser was outdated – regardless of the reality. Those who took this bait were redirected to a second website with an installer," says Cherepanov.
Following installation, the trojanised Tor Browser is a fully functional application.
"The criminals didn't modify binary components of the Tor Browser; instead, they introduced changes to settings and extensions.
"As a result, non-technically savvy people probably won't notice any difference between the original version and the trojanised one," Cherepanov adds.
Among these changes, all kinds of updates in the settings are disabled, and the updater tool is renamed to prevent the user from updating, which would mean losing the capabilities needed by the criminals.
Digital signature checks for add-ons are also disabled, allowing the attackers to modify any add-on and have it seamlessly loaded by the browser.
The criminals also made changes that notify a C-C server – which is located on an onion domain, and thus, accessible only through Tor – about the current webpage the victim is visiting and serve the browser a JavaScript payload.
"In theory, the attackers can serve payloads that are tailor-made to particular websites. However, during our research, the JavaScript payload was always the same for all pages we visited," says Cherepanov.
The JavaScript payload ESET researchers have seen targets three of the largest Russian-speaking darknet markets.
This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages from these markets.
Once a victim visits their profile page in order to add funds to their account, directly using bitcoin payment, the trojanised Tor Browser automatically swaps the original bitcoin address with the address controlled by criminals.
"During our investigation, we identified three bitcoin wallets that have been used in this campaign since 2017. Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanised Tor Browser," says Cherepanov.
At the time ESET researchers concluded their research, the total amount of received funds for all three wallets was 4.8 bitcoin, which corresponds to approximately 40,000 US dollars.
"It should be noted that the real amount of stolen money is higher because the trojanised Tor Browser also alters QIWI wallets," says ESET's Anton Cherepanov.