onionpoison-–-fake-tor-browser-installer-spreading-malware-via-youtube

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

OnionPoison – Fake Tor Browser Installer Spreading Malware Via YouTube

Kaspersky cybersecurity researchers have discovered multiple infections through a malicious TOR browser installer. The campaign is dubbed OnionPoison, and the installer is being distributed via a Chinese-language YouTube video about the dark web.

The channel boasts over 180,000 subscribers, whereas the video’s view count has exceeded 64,000. It is a damaging discovery for TOR browser users as it is an anonymity-based browser, serving as a gateway to the Dark Web.

OnionPoison - Fake Tor Browser Installer Spreading Malware Via YouTube
The YouTube video from where the malicious and fake Tor browser is being spread (Left) – The malicious .exe download file (Image: Kaspersky)

What Tor Browser Actually is?

The Tor Browser is a free and open-source web browser that is based on the Mozilla Firefox web browser. The Tor Browser is designed to protect your privacy and anonymity when using the internet.

The Tor Browser routes your internet traffic through a network of servers, making it difficult for anyone to track your online activity. The Tor Browser is available for Windows, macOS, and Linux.

Tor is short for “The Onion Router”. The Tor network was originally developed by the US Naval Research Laboratory as a way to securely communicate between government agencies.

The Tor network consists of a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. This makes it difficult for anyone to track your online activity or identify your location.

The TOR-China Connection

It is worth noting that the Tor browser is banned in China, therefore Chinese residents often resort to innovative ways of downloading it. They mainly access third-party websites for this purpose. Hence, they are more likely to be tricked into downloading the malicious installer. What’s worse, most impacted users are also based in China.

More Tor Browser News

  1. Fake Tor browser stole Bitcoins from dark web users
  2. 23% of Tor browser relays found to be stealing Bitcoin
  3. 8 Best Dark Web Search Engines for Tor Browser (2022)
  4. What Are Dark Web Search Engines and How to Find Them?
  5. Beware – “Fake Tor Browser Rodeo” Scamming Unsuspecting Users

Difference Between Original and Malicious TOR Installers

This modified version’s link was posted in January 2022 on a channel that promotes internet anonymity. It is a Chinese-language channel, and the installer was hosted on a Chinese cloud-sharing service.

The difference between the real and modified version was the digital signature, which was missing from the malicious file, and some files were also different from the original. And the version assessed by Kaspersky has less private configuration than the original software.

Kaspersky Warns about Malicious YouTube Video

As per Kaspersky’s advisory, the shady YouTube video is spreading a modified version of the TOR browser capable of collecting sensitive data from users in China. This includes internet history and data the user enters into website forms.

The browser collects the data and hides spyware in an accompanying library, which further collects data like computer name and user’s name, location, and MAC addresses of network adapters. Later, it transmits this information to a C2 server.

OnionPoison - Fake Tor Browser Installer Spreading Malware Via YouTube
The malicious website hosting a fake Tor browser (Image: Kaspersky)

Furthermore, it boasts an embedded functionality for executing shell commands, giving the attacker complete control over the device. The video’s description bar gives the link to the infected TOR browser version.

The scammers seem interested in collecting victims’ personal details like social network IDs, Wi-Fi networks, and browsing histories to track them down and discover their identities.

“The attackers can gather information on the victim’s personal life, his family or home address. Additionally, there are cases when the attacker used the obtained information to blackmail the victim.”

Kaspersky

Researchers are warning individuals and companies against using third-party websites for downloading software to prevent becoming targets of scammers. It is essential to verify the installers’ authenticity before downloading software that cannot be accessed from official websites. Most importantly, constantly assess digital signatures before installing any app/software.

How to Download Tor Browser?

The Tor Browser, as we know it, is available for Windows, macOS, Linux, and Android. To download the Tor Browser, visit the official website at Torproject.org. Once you’re on the website, click “Download Tor Browser.” Then, select the appropriate version for your operating system and follow the prompts to complete the installation.

Once you have the Tor Browser installed, launch it and click “Connect.” That’s it! You’re now browsing anonymously. Keep in mind that because Tor encrypts your traffic, your internet speeds may be slower than usual. But rest assured that your privacy and security are well worth the trade-off.

Author

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…