Functional Tor browser replica has malware that steals Bitcoins

posted about 2 months ago
A trojanized Tor Browser knockoff distributed by cybercriminals to steal Bitcoins from darknet market buyers allowed cybercriminals to steal 4.8 BTC. Fake domains were used "tor-browser[.]org" and "torproect[.]org" – (the real Tor website is "torproject.org"). In 2017 cybercriminals promoted webpages of the trojanized Tor Browser using spam messages on various Russian forums. In 2018, the criminals used pastebin.com to generate a lot of pastes optimized for search engines to rank them high for words that cover topics like drugs, cryptocurrency, censorship bypass, and the names of Russian politicians. The header of a paste translates to English as “BRO, download Tor Browser so the cops won’t watch you…”

The trojanized Tor Browser is a fully functional application, the criminals only changed the default browser settings and some of the extensions. The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons. This non-typical form of malware is designed to steal Bitcoin from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This allowed them to go unnoticed stealing Bitcoin for years.
Tags: bitcoin, blockchain, news