OnionPoison – Hackers Distribute Malicious Tor Browser Installer Via Famous YouTube Channel

The cybersecurity experts at Kaspersky Lab have detected an encrypted model of the Residence windows installer for the Tor Web Browser has been disbursed via a popular Chinese YouTube channel.

This malicious campaign has been dubbed “OnionPoison” by the protection experts at Kaspersky. Whereas this campaign has affected a orderly selection of folks residing in China since threat actors have centered victims from China simplest.

For the time being, it is miles unclear how orderly the assault used to be. Nevertheless, in March 2022, Kaspersky Lab detected telemetry proof of victims.

Malicious YouTube Channel

In the outline of a video, a link to the malicious Tor Browser installer is most original, which leads to the malicious application being downloaded. On January 9, 2022, this video used to be uploaded to YouTube by the threat actors.

Till now the video has obtained more than 64,500 views on YouTube, and the channel on which the video used to be uploaded has 181,000 subscribers. Besides this, the protection experts have made claims that this malicious YouTube channel used to be essentially based in Hong Kong.

The first motive within the reduction of this assault is the ban on the Tor web browser in China. Due to of this, threat actors exercise YouTube as a map to trick unsuspecting customers into downloading the rogue variant of the Tor Browser (“Tor浏览器”) when they peep for it on the video-sharing web page.

OnionPoison Chain

The video contains two links that can well perhaps perhaps moreover be list within the outline of the video. The first link redirects the person to the official web page of the Tor Browser. On the a form of hand, the 2nd link redirects customers to a malicious Tor Browser installer executable (74MB).

Since the Tor browser is banned in China, to be capable of impress customers download the malicious model of the Tor browser threat actors redirect the customers to a Chinese cloud-sharing service where they hosted this rogue model.

This malicious executable installer is designed to build the following things on the contaminated machine of the person:-

• Retailer the having a look history
• Allow caching of pages on disk
• Allow computerized impression filling and memorization of login files
• Retailer extra session files for web sites

That is accomplished by the malicious freebl3.dll library infecting the machine with a payload that contains the spyware that is retrieved reduction from a much away server upon institution of a connection with that server.

Basically the most attention-grabbing situation is that the IP address of the sufferer must manufacture from China for the assault to be triumphant. Moreover, there would possibly be the opportunity of the spyware module exfiltrating the following files:-

• List of establish in application
• List of operating processes
• Google Chrome and Edge history
• SSIDs and MAC addresses of Wi-Fi networks
• Victims’ WeChat memoir IDs
• Victims’ QQ memoir IDs

Right here the most beautiful thing is that the malicious C&C (torbrowser[.]io) is a total replica of the fashioned web page of the Tor Browser. The download links most original on the false web page rob the customers to the legit web page of Tor Browser.

Moreover, at some stage in this campaign, the threat actors lured their targets by the exercise of anonymization application.

Cyber Assault with Zero Belief Networking – Download Free E-E book