Researchers from ESET distribution by unknown attackers of a malicious assembly of Tor Browser. The assembly was positioned as the official Russian version of Tor Browser, while its creators had nothing to do with the Tor project, and the purpose of the creation was to replace Bitcoin and QIWI wallets.
To mislead users, the creators of the assembly registered the domains tor-browser.org and torproect.org (different from the official site torproJect.org by the absence of the letter βJβ, which goes unnoticed by many Russian-speaking users). The design of the sites was stylized as the official Tor site. The first site displayed a page with a warning about using an outdated version of Tor Browser and a suggestion to install an update (the link led to a build with Trojans), and on the second, the content repeated the page for downloading Tor Browser. The malicious assembly was generated only for Windows.
Since 2017, the Tor Browser Trojan has been promoted on various Russian-language forums, in discussions related to the dark web, cryptocurrencies, bypassing Roskomnadzor blocking, and privacy issues. In order to spread the browser, pastebin.com also created many pages optimized to appear in the top search engines on topics related to various illegal operations, censorship, the names of famous politicians, etc.
Pages advertising a fake browser version on pastebin.com have been viewed more than 500 times.
The dummy build was based on the Tor Browser 7.5 code base and, apart from the built-in malicious functions, minor adjustments to the User-Agent, disabling digital signature verification for add-ons, and blocking the update installation system, was identical to the official Tor Browser. The malicious insert consisted of attaching a content handler to the standard HTTPS Everywhere add-on (an additional script.js script was added to manifest.json). The rest of the changes were made at the level of adjusting the settings, and all the binary parts remained from the official Tor Browser.
The script integrated into HTTPS Everywhere, when opening each page, turned to the control server, which returned a JavaScript code that should have been executed in the context of the current page. The control server functioned as a Tor hidden service. By executing JavaScript code, attackers could intercept the contents of web forms, substitute or hide arbitrary elements on pages, display fictitious messages, etc. However, when analyzing the malicious code, only the code for substituting QIWI details and Bitcoin wallets on the payment acceptance pages in the darknet was detected. During the course of malicious activity, 4.8 Bitcoins accumulated on the wallets used for substitution, which corresponds to approximately 40 thousand dollars.
Source: opennet.ru