Russian Tor exit node, which was claimed to be patching binary files, is actually distributing a malware program to launch The malicious, which was claimed to be patching binary files, is actually distributing a malware program to launch cyber-espionage attacks against European government agencies.





The group behind the rogue Tor exit node had likely been infecting files for more than a year, causing victims to download and install a backdoor file that gave hackers full control of their systems.





Last month Josh Pitts of Leviathan Security Group uncovered a malicious Tor exit node that wraps Windows executable files inside a second, malicious Windows executable. But when Artturi Lehtiö of F-Secure carried out an in-depth research, he found that the exit node was actually linked to the notorious Russian APT family MiniDuke

MiniDuke" previously infected government agencies and organizations in more than 20 countries via a " previously infected government agencies and organizations in more than 20 countries via a modified Adobe PDF email attachment . MiniDuke malware is written in assembly language with its tiny file size (20KB), and uses hijacked Twitter accounts for Command & Control and incase twitter accounts are not active, the malware located backup control channels via Google searches.

The rogue Russian exit node identified by Pitts was banned from the Tor network, but the new research carried out by F-Secure has revealed that the malicious Tor exit node is specifically being used to plant a new variant of the MiniDuke advanced persistent threat (APT) malware which the researcher has dubbed 'OnionDuke'.





OnionDuke is a completely different malware family, but some of its command and control (C&C) servers were registered by the same miscreant that obtained MiniDuke C&C servers.

"This strongly suggests that although OnionDuke and MiniDuke are two separate families of malware, the actors behind them are connected through the use of shared infrastructure," the F-Secure researchers said in a blog post Friday.

The malware has ability to steal login credentials and system information from the machines it infected, along with ability to evade from antivirus. But the main component of the malware is to download additional pieces of malware onto the infected computer.





Besides spreading through the Tor node, the malware also spread through other, undetermined channels. "During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s)," the F-Secure post stated.

"Interestingly, this would suggest two very different targeting strategies. On one hand is the 'shooting a fly with a cannon' mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT [advanced persistent threat] operations."

The rogue Tor node infects uncompressed executable files passing through unencrypted traffic. The researcher said that whenever a victim tries to download a file via the malicious Tor exit node, they actually receive an executable "wrapper" that added a second executable. Using a separate wrapper, the miscreants could bypass any integrity checks, might present in the original executable.

"Upon execution, the wrapper will proceed to write to disk and execute the original executable, thereby tricking the user into believing that everything went fine. However, the wrapper will also write to disk and execute the second executable."

Those users who use Tor anonymity network and download executable from an HTTPS-protected server and those using a virtual private network were not affected by the malware.



Also users who installed only those apps that were digitally signed by the developer would likely be safe. Although no assurance can be guaranteed to the users because it's not difficult for hackers to compromise legitimate signing keys and use them to sign malicious packages.