{"id":20298,"date":"2022-10-28T12:39:04","date_gmt":"2022-10-28T16:39:04","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/onionpoison-infected-tor-browser\/20298\/"},"modified":"2022-10-31T19:58:11","modified_gmt":"2022-10-31T15:58:11","slug":"onionpoison-infected-tor-browser","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/onionpoison-infected-tor-browser\/20298\/","title":{"rendered":"Never download software from YouTube links"},"content":{"rendered":"

Earlier this month, Kaspersky experts published a detailed report<\/a> on a threat they\u2019ve called OnionPoison. They discovered malicious code being distributed through YouTube video. The video advertised using Tor Browser<\/a> for private browsing.<\/p>\n

This browser is a modified version of the Firefox browser \u2014 with maximum privacy settings. But its most important feature is that it can redirect all user data through The Onion Router (hence the name Tor) network. Data is transmitted in encrypted form through several layers of server (hence the onion in the name), where it\u2019s mixed with data of other users of the network. This method ensures privacy: websites see only the address of the last server in the Tor network \u2014 the so-called exit node \u2014 and cannot see the user\u2019s real IP address.<\/p>\n

But that\u2019s not all. The Tor network can also be used to bypass restricted access to certain sites. For example, in China, many \u201cWestern\u201d internet resources are blocked, so users turn to solutions such as Tor to access them. Incidentally, YouTube is also officially unavailable in China, so, by definition, the video is aimed at those looking for ways to get round the restrictions. It\u2019s likely that this was by no means the only method of distributing the OnionPoison malware, and that other links were placed on resources inside China.<\/p>\n

Normally, a user can download Tor Browser from the project\u2019s official website. However, this site is also blocked in China, so there\u2019s nothing unusual about people seeking alternative download sources. The YouTube video itself explains how to hide online activity using Tor, and a link is given in the description. It points to a Chinese cloud file-hosting service. Unfortunately, the version of Tor Browser located there is infected with OnionPoison spyware. So, instead of privacy, the user gets the exact opposite: all their data is revealed.<\/p>\n

\"Screenshot<\/a>

Screenshot of a YouTube video advertising a malicious version of Tor Browser. Source<\/a><\/p><\/div>\n

What the infected Tor Browser knows about the user<\/h2>\n

\nThe infected version of Tor Browser lacks a digital signature, which should be a big red flag for the security-minded user. On installing such a program, the Windows operating system displays a warning regarding this. Naturally, the official version of Tor Browser has a digital signature. The distribution contents in the infected package, however, differ very little from the original. But the minor differences are important.<\/p>\n

For starters, in the infected browser, some important settings have been changed when compared with the original Tor Browser. Unlike the real one, the malicious version remembers the browser history, stores temporary copies of sites on the computer, and automatically saves login credentials and all data entered into forms. Such settings already cause enough damage to privacy as it is, but it only gets worse\u2026<\/p>\n

\"Download<\/a>

Download page of Tor Browser infected with OnionPoison spyware. Source<\/a><\/p><\/div>\n

One of the key Tor\/Firefox libraries was replaced with malicious code. This calls the original library, as required, to keep the browser working. And at startup it also addresses the C2 server, from where it downloads and runs another malicious program. What\u2019s more, this next stage of the attack on the user occurs only if their real IP address points to a location in China.<\/p>\n

This \u201csecond stage\u201d of the attack furnishes the attack organizers with as much detailed information about the user as possible, in particular:<\/p>\n