A new report has revealed that a trojanized fake Tor Browser has been quietly spying on and stealing Bitcoin from unwary Darknet users for years.

Aimed at Russian Darknet users, the malware is being spread through two separate websites claiming to be distributors of the “official” Russian-language version of the popular anonymous web browser.

According to malware researchers at cybersecurity firm ESET, the trojanized Tor Browserappears to be specifically targeting users of three of the largest Russian-speaking Darknet markets.

When a user visits the first website – torproect[.]org (note the missing ‘j’) – they receive an alert that their Tor Browser is out of date.

The alert roughly translates to “Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button ‘Update’”

Clicking on the button takes the user to a second website – tor-browser[.]org – where the Windows .exe file for the trojanized Tor Browser will automatically begin downloading.

Once installed, the browser allows the hackers to spy on users’ web activity, scrape form data, and – as it turns out – steal their bitcoins.

“During our investigation, we identified three Bitcoin wallets that have been used in this campaign since 2017,” said ESET senior malware researcher Anton Cherepanov.

“Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanized Tor Browser.”

Based on these transactions, the hackers have stolen a total of 4.8 BTC over time, worth approximately US$40,000 at current prices.

Cherepanov notes that the total amount stolen is likely far higher, however, because the trojanized Tor Browser also targets QIWI wallets.

QIWI is a popular Russian digital payments provider that boasts more than 20 million users.

How the trojanized Tor Browser works

Instead of altering the browser’s source code, which likely would have been detected by malware scanners, the hackers use the unaltered source files of Tor Browser 7.5 and, instead, make changes to several browser settings and extensions through extension-overrides.js.

Specifically, browser updates are disabled, as are digital signature checks for installed browser add-ons.

The latter means that the hackers can modify any Tor Browser add-on and it will be loaded by the browser without alerting the user that it has been altered.

The default User-Agent is also changed to a very specific hard-coded value that allows the hackers to detect when the trojanized Tor Browser is being used.

The HTTPS Everywhere add-on that comes packaged with the browser has also been modified to inject a javascript file into every webpage the user views.

This script notifies the C&C server – the computer that the hackers use to send commands to and receive data from infected systems – of the current web address being viewed and downloads a javascript payload.

The payload allows the hackers to interact with the webpage the user is currently viewing, giving them the ability to scrape data, modify content on the page, and other actions.

In this case, when a user goes to one of the three targeted darknet markets to add funds to their account, the trojanized Tor Browser automatically swaps the Bitcoin or QIWI wallet address to those controlled by the hackers.

How to protect yourself

As with most things cybersecurity-related, vigilance plays a key role in protecting yourself. Scan your system and your downloads regularly for trojans, viruses, and other malware and be sure you know where you are downloading your files from.

Bookmarking the sites you routinely use can help protect against accidentally going to fake versions of websites that could download and install malware on your system without your knowledge.

In the case of the trojanized Tor Browser, all legitimate Tor Browser versions can be found on the project’s official website – https://www.torproject.org.

Translated versions of the Tor Browser are available in 30 different languages, which can be downloaded from https://www.torproject.org/download/languages/.