The attackers can search the exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”Ĭheck out the original blog post on the Kaspersky website for more details on this threat.Tor Browser is available for Linux, Mac and Windows, and has also been ported to mobile. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks.
The Kaspersky researchers concluded: “Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. If installed, the command-and-control server may request history from the Tor, Chrome and Microsoft Edge browsers, identities of WeChat and QQ accounts, and SSIDs and MAC addresses of WiFi networks. “We can therefore say that the OnionPoison campaign targets users that are located in China.” The researchers note that one of the stages of the malware only deploys on machines with a Chinese IP address. The links are embedded in the description of the video, and since Tor is banned in China, users there are forced to download the malicious installer that’s hosted on a Chinese cloud-sharing service. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.” More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server.
The Kaspersky researchers dubbed the campaign “OnionPoison” after Tor’s onion routing technique for anonymous communications, adding: “Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms.
The video with the link to the malicious installer first appeared on the YouTube channel in January, with victims starting to appear in March it has been viewed over 64,000 times. In this case, the Kaspersky researchers say their telemetry detected the malicious installers via a link on a popular Chinese-language YouTube channel devoted to anonymity on the internet that has over 180,000 subscribers. The website for the Tor browser is banned in China, so users often resort to using third-party sites to download the contraband browser. Kaspersky researchers noticed a rather clever way threat actors are deceiving users in China into downloading a malicious Tor browser installer that can be used to track the history and location of its victims. The YouTube app logo is seen on a television screen.
0 kommentar(er)
