Security analysts at Kaspersky have spotted an ongoing malware distribution campaign leveraging modified Tor Browser installers that siphon user browsing data and execute commands on their systems.
The unsigned installers hosted on a cloud service are promoted by an anonymity-focused YouTube channel that counts over 180,000 subscribers, while the particular video that pushes the malicious Tor build has 64,000 views.
The earliest infections were detected by Kaspersky’s security products in March 2022, primarily focusing on Chinese users who seek unofficial Tor distribution channels due to a government ban on the anonymous browser.
Tor directs internet traffic through a volunteer overlay network, masking the user’s IP address and maintaining browsing anonymity while helping bypass internet censorship, both crucial issues for Chinese netizens.
The malicious version promoted to these users looks identical to the genuine Tor Browser, but it’s configured to record browsing history and log anything typed on website forms.
Below is a screenshot of the particular YouTube video.
Video promoting the malicious TOR installer by linking to a download site in the description
Additionally, the custom browser caches pages on the disk, stores extra session data from websites, and has auto-filling of login data enabled by default.
While these may seem like innocuous interventions to make using this custom version of Tor more comfortable, the fact that the malware phones to a command and control (C2) server with POST requests is a clear indication of its nefarious objectives.
The C2 domain dubs as a clone of the real