Trojan-Rigged Tor Browser Bundle Drops Malware

Threat actors are using Trojanized installers for The Onion Router (Tor) browser to distribute clipboard-injector malware that pilfers funds from cryptocurrency accounts and transfers it to their illicit wallets.

Researchers from Kaspersky who have been tracking the activity since at least January 2022 have determined the threat actors are mostly targeting users in Russia, a nation that blocked access to Tor's official site in December 2021. Of the 16,000 instances where Kaspersky has detected the malware so far, most of them were in Russia and Eastern Europe. However, the researchers also detected the threat in more than four dozen countries so far, including the US, Germany, Netherlands, China, and the United Kingdom.

Quiet Theft

Kaspersky's analysis showed that the threat actors behind the campaign have, so far, siphoned out about $400,000 from crypto wallets belonging to users who downloaded the weaponized Tor installer. Almost all of the compromised accounts — more than 90% — were Bitcoin accounts, followed by LiteCoin.

"Given that we only see a fraction of the real picture, the global number of infections may well be several or even tens of times higher," Kaspersky warned in a report this week.

Clipboard injector malware, aka a clipboard hijacker, intercepts and replaces the contents of a user's clipboard with malicious code or content. This type of malware is not new, it has been around for at least a decade. Over the past few years, cybercriminals have typically used the malware to replace cryptocurrency wallet information from a user's clipboard with their own crypto information — and then transferring coins from the victim's wallet to their own.

Though seemingly straightforward, clipboard injector tools can be hard to detect and handle, Kaspersky said. They don't exhibit any of the more obvious behaviors associated with typical malware such as communicating with an external system, causing pop ups, or slowing down an infected system. They often blend in with legitimate clipboard activity and any data that the malware replaces can be hard to detect because of how frequently data in a clipboard gets overwritten in the normal course of events.

"[Clipboard injectors] can be silent for years, show no network activity, or any other signs of presence until the disastrous day when they replace a crypto wallet address," Kaspersky said.

New Distribution Vector

Threat actors so far have typically used phishing emails, malicious websites, and other malware to distribute clipboard hijackers.

The campaign to distribute it via weaponized Tor installers is a spin that Kaspersky surmised was likely inspired by Russia's move to ban access to the browser.

Tor gives individuals a way to browse the Internet anonymously by routing their traffic through a network of volunteer-run servers around the world. Frequent Tor users — apart from cybercriminals — include human rights activities, journalists, and those seeking to circumvent censorship and surveillance. Tor has previously described Russia as a country with over 300,000 daily Tor users.

According to Kaspersky, threat actors began distributing Trojanized Tor bundles to Russian-speaking users in December 2021, soon after the country's move to block access. The bundles typically consist of the original torbrowser dot exe installer with a valid Tor Project digital signature, a command-line extraction tool in the RAR archive form with a randomized name, and a password-protected RAR archive.

When a user downloads the weaponized Tor browser bundle, the original torbrowser executable runs in the foreground. In the background, it also runs the extraction tool on the password-protected RAR archive, which sets into motion a set of actions that ends with the clipboard injector malware installed on the victim system.

The authors of the malware likely have used a cracked version of Enigma, a commercially available software protector, to pack the malware and make it harder to detect.

Once installed, the "malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed," Kaspersky said.

If the malware detects cryptocurrency information in the clipboard, it replaces the content with an attacker-controlled address for Bitcoin or another cryptocurrency. Kaspersky researchers who analyzed various samples of the malware found each sample to contain thousands of replacement addresses making it hard for defenders to create a deny list or to trace cryptocurrency theft, the security vendor said.

The ongoing campaign is not the first time malware authors have abused Tor's popularity in Russia to target users there for cryptocurrency theft. In 2019, ESET observed a Bitcoin-stealing campaign involving a Trojanized version of the Tor browser. The security vendor's investigation showed that some of the attacker-owned Bitcoin addresses in the campaign had been active since at least 2017.