Popular YouTube Channel Distributes Infected Tor Browser Installer
Experts from Kaspersky Lab have discovered a popular Chinese-language YouTube channel being used to distribute a trojanized version of the Tor browser installer. Researchers have dubbed this campaign “OnionPoison” and report that all its victims are located in China.
Since the Tor browser is banned in China, users often rely on third-party sites to download installation files. In this case, a link to a malicious installer was posted on a popular YouTube channel dedicated to internet anonymity.
How the Attack Worked
The channel in question has over 180,000 subscribers, and the video containing the malicious link has been viewed more than 64,000 times. The video was published in January 2022, and the first victims appeared in telemetry data in March 2022. Since then, Google has removed the video for violating YouTube’s policies.
The infected browser version saved all browsing history and data entered into forms. Worse, one of the libraries in the installer was infected with spyware that collected users’ personal data and sent it to a hacker-controlled server. The spyware also gave attackers control over the infected computer, allowing them to execute shell commands.
Distribution Method
Victims likely found the video with the malicious link by searching YouTube for “Tor浏览器” (“Tor browser” in Chinese). The video appeared at the top of the search results. Its description contained two links: one to the official Tor website and another to download the malicious installer hosted on a Chinese cloud file-sharing service. Since the official Tor site is blocked in China, users were forced to use the cloud service to download the browser.
Technical Details of the Attack
According to analysts, the second-stage DLL in the attack collected the following information from the victim’s system:
- Operating system disk volume GUID
- Computer GUID
- Computer name
- Regional settings
- Current username
- MAC addresses of network adapters
After gathering this information, the DLL began sending heartbeat messages to the command server every two minutes. Each message contained a JSON object with the collected data. These messages were sent as POST requests to https://torbrowser[.]io/metrics/heartbeat or https://tor-browser[.]io/metrics/heartbeat. The request body was encrypted using a pseudo-random AES-128 (ECB) key, which was then encrypted with an RSA public key specified in the configuration.
In response to these heartbeat messages, the command server could request additional information, such as:
- Installed software
- Running processes
- Tor browser history
- Google Chrome and Edge browser history
- WeChat and QQ account IDs belonging to the victim
- SSID and MAC addresses of Wi-Fi networks the victim connected to
The collected additional information was sent to the command server with the next heartbeat message. Additionally, the server could request the execution of arbitrary shell commands on the infected computer.
Imitation of the Official Tor Site
Researchers noted an interesting detail: the command server websites were visually identical to the official Tor browser site, and the download links led to the legitimate Tor website.
Focus on Personal Data
Unlike most stealers, OnionPoison modules did not automatically collect passwords, cookies, or wallet data. Instead, they stole information that could reveal a lot about the victim’s identity: browser history, social media account IDs, and Wi-Fi network data. Experts believe the attackers may have searched the collected browser histories for signs of illegal activity, contacted victims via social networks, and threatened to report them to authorities.