Trojanized Tor browser lets attacks steal from users' e-wallets

Trojanized Tor browser lets attacks steal from users' e-wallets

Researchers have discovered a trojanized version of a Tor private browser that targets Russian-speaking dark web marketplace visitors and lets cybercriminals steal from their e-wallet transactions.


The developers behind the malicious browser have so far stolen at least $40,000 in bitcoin, although the true number is likely higher. Researchers from ESET discovered a version of the trojanized app that was modified from the legitimate January 2018 release of Tor Browser 7.5. However, the cybercriminal operation dates back even further to at least 2017, while two malicious domains used to distribute the malware were created way back in 2014, ESET has reported in a blog post authored by company researcher Anton Cherepanov.


The trojanized browser works the same as the authentic version, but with several key changes. While the criminals didn’t tinker with the code, they did change the default browser settings and some extensions. For starters, the malicious actors behind this scheme have disabled a signature check process for installed add-ons. This allows the adversaries to introduce malicious add-ons without having to worry about being flagged by a digital signature check.


One example of such a malicious add-on is a modified version of HTTPS Everywhere included with the browser, which downloads a JavaScript payload onto every web page, in the context of that page. This allows the criminals to serve a variety of page-customized payloads. So far, however, the criminals have stuck to one payload: a web inject capable of actions such as form grabbing, scraping and injecting content and displaying fake messages, ESET explained.


Using this payload, the cybercriminals have targeted users of three of the largest Russian-speaking dark web marketplaces by tampering with e-wallets located on th ..