Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users

A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit.

More than 860 transactions are registered to three of the attackers’ wallets, which received about $40,000 in Bitcoin cryptocurrency.

Careful impersonation

The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians.

Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software.

Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal:

• tor-browser[.]org
• torproect[.]org – for Russian-speaking visitors, the missing “j” may be seen as a transliteration from Cyrillic

Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run.

Translated into English, the message reads:

In Pastebin messages, the cybercriminals advertise that users would benefit from anti-captcha feature allowing them to get faster to the destination.

This is not true, though. Underneath this Tor Browser impersonator is version 7.5 of the official project, released in January 2018.

Getting the cryptocurrency

The downloaded script can modify the page by stealing content in forms, hiding original content, showing fake messages, or add its own content.

These capabilities allow the script to replace in real-time the destination wallet for cryptocurrency transactions. The JavaScript observed by ESET does exactly this.

The targets are users of the three largest Russian-speaking darknet markets, the researchers say. For the payload they observed (image above), the script also alters the details for the Qiwi payment service provider.

When victims add Bitcoin funds to their account, the script jumps in and changes the wallet address with one belonging to the attackers.

Since cryptocurrency wallets are a large string of random characters, users are likely to miss the swap.

Darknet profile with altered Bitcoin address

At the moment of publishing, the three cryptocurency wallets controlled by the attackers recorded 863 transactions. These are small transfers, supporting the theory that the funds came via the trojanized Tor Browser.

One of them received more than $20,000 from over 370 transactions. The largest balance, though, is currently around $50 in one wallet and less than $2 in the other two.

The three wallets have been used for this purpose since 2017, the researchers found. Although the amount of Bitcoins that passed through these wallets is 4.8, the total proceedings for the attackers is likely higher because Qiwi payment details are also altered.