A well-liked Chinese language-language YouTube channel has emerged as a way to distribute a trojanized model of a Home windows installer for the Tor Browser.
Kaspersky dubbed the marketing campaign OnionPoison, with the entire victims positioned in China. The size of the assault stays unclear, however the Russian cybersecurity firm mentioned it detected victims showing in its telemetry in March 2022.
The malicious model of the Tor Browser installer is being distributed through a hyperlink current within the description of a video that was uploaded to YouTube on January 9, 2022. It has been considered over 64,500 instances up to now.
The channel internet hosting the video has 181,000 subscribers and claims to be based mostly in Hong Kong. The video remains to be obtainable to look at on the social media platform as of writing.
The assault banks on the truth that the precise Tor Browser web site is blocked in China, thus tricking unsuspecting customers trying to find “Tor浏览器” (i.e., Tor Browser in Chinese language) on YouTube into probably downloading the rogue variant.
Clicking on the hyperlink redirects the consumer to a 74MB executable that, as soon as put in, is designed to retailer customers’ shopping historical past and information entered into web site varieties.
“Extra importantly, one of many libraries bundled with the malicious Tor Browser is contaminated with spyware and adware that collects varied private information and sends it to a command-and-control server,” Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin mentioned.
The malicious freebl3.dll library achieves this by establishing contact with a distant server that responds again with a second-stage payload containing the spyware and adware, however solely when the IP handle of the sufferer originates from China.
The spyware and adware module additional supplies the performance to exfiltrate an inventory of put in software program and working processes, browser histories, victims’ WeChat and QQ account IDs, along with executing arbitrary shell instructions on the sufferer machine.
What’s notable concerning the command-and-control server (torbrowser[.]io) is that it is a visible reproduction of the unique Tor Browser web site and its obtain hyperlinks result in the legit Tor Browser web site.
The event echoes one other marketing campaign during which avid gamers searching for cheats and cracks on YouTube are being directed to movies containing hyperlinks to a malicious archive file distributing info stealers and crypto miners. Google has since terminated the hacked channels.
The Hacker Information has reached out to the web big for remark concerning the most recent findings, and we’ll replace the story if we hear again.
