sb-eu logo
Story image

ESET discovers campaign stealing bitcoins from darknet users

22 Oct 2019

ESET researchers have discovered a campaign running unnoticed for many years, that distributed a trojanised version of the official Tor Browser package, using it to spy on its users and steal bitcoins from them.

“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills in to forms and display fake messages, among other activities,” says ESET senior malware researcher Anton Cherepanov, who conducted the research.

“However, we have seen only one particular functionality – changing the cryptocurrency wallets.”

The campaign has been targeted at Russian-speaking users of the anonymous Tor network.

To distribute the malware-laden browser, the criminals promoted it – on various forums, and on pastebin.com – as the official Russian language version of the Tor Browser.

Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites.

“At the first website, the user received a warning that their Tor Browser was outdated – regardless of the reality. Those who took this bait were redirected to a second website with an installer,” says Cherepanov.

Following installation, the trojanised Tor Browser is a fully functional application.

“The criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and extensions.

“As a result, non-technically savvy people probably won’t notice any difference between the original version and the trojanised one,” Cherepanov adds.

Among these changes, all kinds of updates in the settings are disabled, and the updater tool is renamed to prevent the user from updating, which would mean losing the capabilities needed by the criminals.

Digital signature checks for add-ons are also disabled, allowing the attackers to modify any add-on and have it seamlessly loaded by the browser.

The criminals also made changes that notify a C&C server – which is located on an onion domain, and thus, accessible only through Tor – about the current webpage the victim is visiting and serve the browser a JavaScript payload.

“In theory, the attackers can serve payloads that are tailor-made to particular websites. However, during our research, the JavaScript payload was always the same for all pages we visited,” says Cherepanov.

The JavaScript payload ESET researchers have seen targets three of the largest Russian-speaking darknet markets.

This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages from these markets.

Once a victim visits their profile page in order to add funds to their account, directly using bitcoin payment, the trojanised Tor Browser automatically swaps the original bitcoin address with the address controlled by criminals.

“During our investigation, we identified three bitcoin wallets that have been used in this campaign since 2017. Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanised Tor Browser,” says Cherepanov.

At the time ESET researchers concluded their research, the total amount of received funds for all three wallets was 4.8 bitcoin, which corresponds to approximately 40,000 US dollars.

“It should be noted that the real amount of stolen money is higher because the trojanised Tor Browser also alters QIWI wallets,” says ESET’s Anton Cherepanov.

Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More
Story image
Metallic adds data management and GDPR compliance
Now GDPR compliant, additions to the portfolio include eDiscovery features and support for Microsoft Hyper-V and Azure Blob and File storage.More
Story image
Cohesity announces integrated, automated disaster recovery
The new solution is integrated with the company’s existing backup and continuous data protection capabilities.More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
APAC organisations struggle to find balance between digital adoption and cybersecurity
Organisations in the Asia Pacific (APAC) region are significantly concerned about security threats, but nevertheless are looking to advance operations through digital adoption.More