Malware disguised as Tor browser steals $400k in cryptocash

Clipboard-injector malware disguised as Tor browser installers has been used to steal about $400,000 in cryptocurrency from nearly 16,000 users worldwide so far in 2023, according to Kaspersky researchers.

While the coin-stealing attacks have hit people in 52 countries, the majority of the detections were in Russia, followed by Ukraine and the US.

The high numbers of Russian victims in this campaign is likely related to the Kremlin's ban – and subsequent censorship after lifting the outright ban – of the Tor Project.

"The Tor Project called to help keep Russian users connected to Tor to circumvent censorship," Vitaly Kamluk, head of Kaspersky's Global Research and Analysis Team for APAC, wrote in a blog about the clipper malware. "Malware authors heard the call and responded by creating trojanized Tor browser bundles and distributing them among Russian-speaking users." 

In these attacks, the targeted user downloads a borked Tor browser from a third party store that contains a password-protected RAR archive – the password helps the archive bypass security protections – and a command-line RAR extraction tool.

Once the file is downloaded, the executable – usually disguised as uTorrent or another app icon – starts as a new process and the malware gets to work. It continually scans the user's Windows clipboard data, and when it detects a cryptocurrency wallet address, it replaces that address with one controlled by the attacker.

Additionally, the malware is protected with the Enigma packer v4.0, which makes analysis more complicated. So to calculate the total losses, the threat hunters collected "hundreds" of the malware samples, unpacked them from Enigma, extracted the crypto-wallet replacement addresses and then calculated the total inputs to these wallets.

Based on this, the security shop estimates the crooks stole at least $400,000. The bulk of this amount ($381,237) was in Bitcoin, followed by Litecoin ($10,544), Ethereum ($4,853) and Dogecoin ($517).

"We believe that the actual theft is bigger because this research is focused on Tor Browser abuse," Kamluk said. "There may be other campaigns, abusing different software and using other means of malware delivery as well as other types of wallets."

• Unknown actors deploy malware to steal data in occupied regions of Ukraine
• Bogus ChatGPT extension steals Facebook cookies
• Got Conti? Here's the ransomware cure to avoid paying up
• FTX cryptovillain Sam Bankman-Fried charged with bribing Chinese officials

One way to avoid this coin-stealing campaign is to download installers from the official Tor Project, which are digitally signed and free of malware. "A mistake likely made by all victims of this malware was to download and run Tor Browser from a third party resource," Kamluk added. 

And despite being "fundamentally simple," the attack "harbors more danger than would seem," according to Kamluk. This isn't only because of the theft involved, but because the malware is passive and hard to detect via heuristics, he explained. 

Spyware, ransomware, and even illicit miners require a communication channel between the victim's device and the attacker's servers. Even worms and viruses that don't connect to command-and-control servers still generate network activity.

But, as Kamluk noted, clipboard injectors "can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a cryptowallet address." ®