The Slovakian software security firm ESET originally discovered a trojanized Tor Browser and says it has been stealing cryptocurrency since 2017. Spam messages delivered from two domains are have been used to promote the trojanized variant. The domains hosting the websites that promote the malicious Tor Browser were created in 2014 and appear very legitimate to a speaker of the Russian language; those domains are listed below:
- torproect[.]org – for Russian-speaking visitors, the missing “j” may have been confused in translation.
These websites were also promoted on Russian-language online forums. The malicious browser automatically swaps the victims’ crypto addresses to those of the criminals after it is installed. When visiting the pages, the design looks slightly similar to the Tor Project’s official site and a Russian-language warning is presented to the visitor that translates to “Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button ‘Update.’” The malware is downloaded if the user clicks the update button. Further research conducted by ESET revealed that the malware has only been distributed for Windows thus far and that there haven’t been any versions for Linux, macOS, or mobile yet. It is believed that there are three wallets that have been receiving the stolen Bitcoin, with the total amount being around 4.8 BTC or roughly $38,000 USD at the time of this writing. In addition to Bitcoin, the perpetrators have also been stealing funds by altering QIWI wallets.