Cyber Security News

OnionPoison – Hackers Distribute Malicious Tor Browser Installer Via Famous YouTube Channel

The cybersecurity experts at Kaspersky Lab have detected an encrypted version of the Windows installer for the Tor Web Browser has been distributed via a famous Chinese YouTube channel.

This malicious campaign has been dubbed “OnionPoison” by the security experts at Kaspersky. While this campaign has affected a large number of people living in China since threat actors have targeted victims from China only.

At the moment, it is unclear how large the attack was. However, in March 2022, Kaspersky Lab detected telemetry evidence of victims.

Malicious YouTube Channel

In the description of a video, a link to the malicious Tor Browser installer is present, which leads to the malicious software being downloaded. On January 9, 2022, this video was uploaded to YouTube by the threat actors.

Till now the video has gained more than 64,500 views on YouTube, and the channel on which the video was uploaded has 181,000 subscribers. Apart from this, the security experts have made claims that this malicious YouTube channel was based in Hong Kong.

The primary reason behind this attack is the ban on the Tor web browser in China. Because of this, threat actors use YouTube as a means to trick unsuspecting users into downloading the rogue variant of the Tor Browser (“Tor浏览器”) when they search for it on the video-sharing website.

OnionPoison Chain

The video contains two links that can be found in the description of the video. The first link redirects the user to the official website of the Tor Browser. On the other hand, the second link redirects users to a malicious Tor Browser installer executable (74MB).

Since the Tor browser is banned in China, so to make users download the malicious version of the Tor browser threat actors redirect the users to a Chinese cloud-sharing service where they hosted this rogue version.

This malicious executable installer is designed to do the following things on the infected system of the user:-

  • Store the browsing history
  • Enable caching of pages on disk
  • Enable automatic form filling and memorization of login data
  • Store extra session data for websites

This is achieved by the malicious freebl3.dll library infecting the system with a payload that contains the spyware that is retrieved back from a remote server upon establishment of a connection with that server. 

The only condition is that the IP address of the victim must originate from China for the attack to succeed. Additionally, there is the possibility of the spyware module exfiltrating the following data:-

  • List of installed software
  • List of running processes
  • Google Chrome and Edge history
  • SSIDs and MAC addresses of Wi-Fi networks
  • Victims’ WeChat account IDs
  • Victims’ QQ account IDs

Here the most shocking thing is that the malicious C&C (torbrowser[.]io) is a complete replica of the original website of the Tor Browser. The download links present on the fake website take the users to the authentic website of Tor Browser.

Moreover, during this campaign, the threat actors lured their targets by using anonymization software.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

2 hours ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

15 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

16 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

18 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

18 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

23 hours ago