Malicious Tor Browser Installers Spread Via Darknet Video on YouTube

10/17/2022Darknet News

Multiple infections caused by malicious Tor Browser installers, dubbed OnionPoison, propagated by YouTube videos explaining the Darknet have been discovered by cybersecurity researchers.

The discovery was made by Kaspersky, which stated in an advisory earlier today that the channel in issue has more than 180,000 subscribers and that the video with the infected link has received more than 64,000 views.

Cybercriminals, called “OnionPoison” by the security company, propagated malware infected versions of Tor Browser by embedding links to them in videos, which allowed the malware to capture victim data and take full control of their systems using shell commands.

“Most of the affected users were from China,” Kaspersky wrote. “As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third–party websites. And cyber–criminals are keen on spreading their malicious activity via such resources.”

Technically speaking, according to Kaspersky, the analyzed version of Tor Browser is set up to be less private than the original piece of software.

In actuality, the malicious variant disseminated malware to gather personal information and send it to the hackers’ server in addition to storing browser history and all information typed into website forms by the user.

Kaspersky noted that OnionPoison “curiously, unlike many other stealers, does not seem to exhibit a special focus in gathering users’ passwords or wallets.”

“Instead, they tend to be more interested in gathering victims’ identifying information which can be used to track down the victims’ identities, such as browsing histories, social network account IDs and WiFi networks.”

The strategy is alarming, in Kaspersky’s opinion, as it suggests an attacker’s desire to transition from the virtual world to the physical one.

“The attackers can gather information on the victim’s personal life, his family or home address. Additionally, there are cases when the attacker used the obtained information to blackmail the victim.”

To lessen the chances of falling prey to such malicious efforts, Kaspersky advised businesses and consumers avoid installing software from dubious third-party websites.

You can check the digital signatures of installers downloaded from third-party sources to ensure their legitimacy if using official websites is not an option for you.

The warning was issued a few months after Tor Project updated its main anonymizing browser to make it simpler for users to avoid attempts by governments to prohibit its use in various places.

Hacker groups apparently used the technique more recently to support Iranian protesters.