Researchers at cyber-security firm, ESET, have discovered what they called a ‘trojanised’ version of the open-source Tor Browser that they say has been infused with malware to steal bitcoin from users. According to the report, the nefarious campaign has been running unnoticed for ‘many years’, and has been successful in stealing up to $40,000 worth of Bitcoins, largely from Russian-speaking users browsing the deep web.
According to ESET senior malware researcher, Anton Cherepanov, “This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills in to forms and display fake messages, among other activities. However, we have seen only one particular functionality – changing the cryptocurrency wallets”.
As per the report, the criminals promoted the malware-infused browser on various internet forums and on Pastebin as the official Russian language version of the Tor Browser. It was distributed via two websites that were designed to mimic the official Tor website, but in reality, neither the websites, not the software itself, have any relation with the real Tor Project, a non-profit organization which continues to distribute the safe and secure Tor Browser to help protect privacy and anonymity online.
Meanwhile, as far as the cyber-criminals are concerned, their modus operandi typically involved showing unsuspecting users a warning saying their Tor Browser is out-of-date and needs an urgent update. As is often the case with malicious click-baits, the message is displayed even if the visitor has the most up-to-date version of the browser. “Those who took this bait were redirected to a second website with an installer”, said Cherepanov.
According to the report, the trojanized Tor Browser is a ‘non-typical form of malware’ specifically designed to steal digital currency from deep web visitors. According to Cherepanov, “(the) criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years”.