Kaspersky exposes “poisoned” Tor browser tracking Chinese users’ browsing history, physical location, please be wary of all shares from YouTube rogue channel “Tool Master i”

A modified version of the Tor browser has been collecting sensitive data from Chinese users since at least March, and perhaps as early as January, including browsing history, form data, computer names and locations, user names and MAC addresses of network adapters, cybersecurity researcher Kaspersky Inc. said Tuesday.

A link to a malicious version of the Tor browser installer (lanzou cloud link) is included in the blurb below a video posted on a Chinese YouTube channel called "Tool Master i" The channel has more than 180,000 subscribers and the video has been viewed more than 64,000 times, Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin said in findings released Tuesday.

Kaspersky said the YouTube account, called "Toolmaster i" uploaded the video in January 2022, and Kaspersky researchers began seeing victims in their data in March after noticing clusters of downloads of the malicious Tor browser installer.

Kaspersky's analysis of "OnionPoison"

Kaspersky researchers have dubbed the campaign "OnionPoison" which refers to poisoning by modifying "The Onion Router. "The Onion Router" is an anonymous route originally developed by the U.S. Naval Research Laboratory, and the legitimate Tor browser uses the "Onion Router" technology.

The malicious installer loads a backdoor version of the Tor browser that includes a library of spyware designed to collect personal data and send it to a server controlled by the attacker, who could also have the ability to execute shell commands on the victim's machine, the researchers said.

Isabela Fernandes, executive director of the nonprofit Tor Project, which deployed a patch on Tuesday, told CyberScoop.

"Basically, this 'poisoned' Tor browser modifies the update URL, so it doesn't update properly." She said. "What we did was add a redirect so that we respond to the modified URL so that people would update. Now they have a URL that is a valid update URL."

The researchers said it is unclear who is behind the campaign, but it is clearly targeting Chinese users. The command and control server checks IP addresses and only sends malware to IPs in China, they said. In addition, the video description includes a valid Tor browser link, but because Tor sites are blocked in China, users are more likely to click on the lanzou cloud link below, which redirects them to downloadable files hosted on a third-party "lanzou cloud" sharing site.

Interestingly, the modified browser does not automatically collect user passwords, cookies or wallets, but instead focuses on browsing history, social network account IDs and Wi-Fi networks, the researchers said.

According to Kaspersky's analysis, the "OnionPoison" customized Tor Browser can save browsing history, enable web caching, store login credentials and collect additional session data from visited websites. In addition, the collected data is sent back to the attacker. This includes installed software, websites visited in the Tor browser, Chrome and Edge, user account IDs for WeChat and QQ, and the SSIDs and MAC addresses of Wi-Fi networks to which the victim is or has been connected.

The researchers write, "Attackers can search the leaked browser history for traces of illegal activity, contact victims through social networks, and threaten to report them to the government."

Historically there have been multiple maliciously tampered versions of the Tor browser

Cybercriminals and nation-state hackers have deployed modified versions of the Tor browser several times in the past. in 2019, researchers at the Slovakian cybersecurity firm ESET reported a version of Tor designed to steal cryptocurrency from Russian speakers. In another example, about 10 years ago, Russian-linked hackers used a Tor export node to deploy malware called OnionDuke.

The Federal Bureau of Investigation has also been accused of working with contractors and potential college students to modify Tor software or exploit 0day to reveal the identities of Tor users and investigate sites involving dark web pedophilia (a claim the FBI vaguely denied at the time).

The researchers said the best way to avoid "OnionPoison" is to download the Tor browser from the official website, or, if that's not possible and you must download it from a third-party site, you need to check the digital signature of the installer downloaded from the third-party source to verify its authenticity. Legitimate installers should have a valid signature and the company name specified in their certificate should match the name of the software developer.

Youtube channel "Toolmaster i" poisoned with "OnionPoison"

Kaspersky said that in the case of "OnionPoison", the link to the malicious Tor installer was posted on a popular Chinese YouTube channel dedicated to anonymity on the Internet. The channel has more than 180,000 subscribers, and the video with the malicious link has been viewed more than 64,000 times.

As seen in Kaspersky's screenshot of the video, the malicious Youtube channel is called "Tool Master i" and has the following address
https://www.youtube.com/c/%E5%B7%A5%E5%85%B7%E5%A4%A7%E5%B8%88i

The video (https://www.youtube.com/watch?v=qob8gqQ2_3k) is titled "2022 Newest Dark Web Access Method! What is dark web dark web what how to use scientific internet tools to access dark web dark web how to enter 2022 丨dark web url 丨dark web 2022 丨By Tool Master i", has been removed for violating YouTube rules and YouTube removed (This video has been removed for violating YouTube's Community Guidelines), has been unavailable for viewing, but from the third-party website NoxInfluencer (https://cn.noxinfluencer.com/youtube/video- analytics/qob8gqQ2_3k), the video was posted on January 9, 2022, with 60,600 views, and the address of the lanzou cloud where the malware was placed is: https://wwi.lanzouo.com/i6iLaym6fsf.

In addition, this is not the first time the YouTube channel has modified the Tor browser, as Dark Web Under/AWX found another video from the channel (https://www.youtube.com/watch?v=0nwDOd_xl3Y), titled "2020 Latest Dark Web Login Method Tutorial, Which is the fastest and best way to use? With Tor Onion Browser, SSR, Vray Scientific Internet! Make your internet privacy to the max!" , has been set to private video (This video is private) at noon BST on October 5, 2022, and is also currently unavailable for viewing, but from a third-party website (https://cn.noxinfluencer.com/youtube/video-analytics/0nwDOd_ xl3Y), the video was posted on November 28, 2020, with 78,200 views, and the address of the lanzou cloud where the malware was placed is: https://www.lanzoui.com/i5cDbix01if.

According to statistics, the YouTube channel "Tool Master i" was created on Nov. 18, 2018, posted in Hong Kong, has more than 180,000 followers, and has released a total of 166 videos with a total of more than 11 million views.

However, after Kaspersky's exposure, the channel is now visited and only 79 videos remain, with nearly 90 videos set to "private", while the hidden videos are basically multiple VPN tools, acceleration tools, wall tools, mining tools, etc. released by the channel. If the tool is an exe file basically each video provides a link to the download address of lanzou cloud, if it is an Android application, all provide the apk download address, if it is an Apple application, provides the download address of testflight.apple.com. Judging from its "no silver bullet" approach, all the tools provided by this channel have backdoors, so please be wary of the channel's sharing.

Kaspersky's analysis of the malicious Tor Browser

The malicious Tor Browser file name is: torbrowser-install-win64-11.0.3_zh-CN.exe. The user interface of the installer is the same as the original program user interface, however, the malicious installer is not digitally signed. Kaspersky said that according to its tests, the victim targeted by "OnionPoison" must be located in China because the C2 server checks whether the victim's machine's extranet IP address is from China.

The attackers reduced the privacy of the malicious Tor browser by modifying the \defaults\preferences\000-tor-browser.js configuration file stored in the browser\omni.ja archive, where they configured the Tor browser to

Store browsing history.
Enable on-disk page caching.
Enable automatic form filling and memory of login data.
Store additional session data for the website.

When the malicious Tor Browser starts, it pseudo-randomly selects one of the following C2 server URLs and sends a POST request to it.
https://torbrowser.io/metrics/geoip
https://tor-browser.io/metrics/geoip

Its malicious Dll file loaded for Chinese users retrieves the following system information.

The GUID of the operating system disk volume.
The machine GUID.
Computer name.
Computer language environment.
The current user name.
The MAC address of the network adapter.

And the following additional information will be requested to be collected.

Installed software.
Running processes.
TOR browser history.
Google Chrome and Edge history.
WeChat and QQ accounts belonging to the victim.
SSID and MAC address of the Wi-Fi network to which the victim is connected.