The spyware is able to gather system information and support data exfiltration capabilities. The experts noticed that the second-stage payload containing the spyware is only served to users from China. “The file freebl3.dll is present in the original Tor Browser installer however, its contents are entirely different from the DLL in the malicious installer” continues the report. The malicious installer is not digitally signed and the malicious installer also drops some files that are different from the ones bundled with the original installer Upon executing the installer a malicious Tor Browser is installed, it has the same UI of the original Tor Browser. The malicious installer has a file size of 74.1 MB. The description of the video includes two links, one to the official Tor Browser website, while the other points to the malicious Tor Browser installer hosted on a Chinese cloud sharing service. “We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.” The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.” reads Kaspersky’s analysis. “More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server.
The experts also discovered that the libraries bundled with the malicious Tor Browser is infected with spyware. The malicious version of the installer installs a malicious Tor Browser that is configured to expose user data, including the browsing history and data entered into website forms.
The video was posted on January 2022, and according to Kaspersky’s telemetry, the first victims were compromised in March 2022. The channel has more than 180,000 subscribers and according to Kaspersky the video with the malicious link had more than 64,000 views at the time of the discovery.
0 kommentar(er)
