Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Crypto-stealing malware hidden in trojanised Tor browsers on the rise

Clipboard injector banking malware is nothing new, but as always, hackers continue to evolve their tools to evade detection and increase their spread. Researchers have recently uncovered a new crypto-stealing campaign that takes advantage of the Tor Browser.

user icon David Hollingworth
Thu, 30 Mar 2023
Crypto-stealing malware hidden in trojanised Tor browsers on the rise
expand image

The Tor Browser — a privacy-focused browser that is used to access dark web sites — was banned in Russia in 2021, and the new campaign uses that to its advantage, offering a Russian-language version of the app from third-party sites.

However, while the copy of Tor that ends up being downloaded is legitimate, it’s packaged in a self-extracting executable archive. Clicking it opens up the actual browser, but it also runs a RAR extraction tool and another RAR archive.

This unpacks and installs the malware payload itself.

============
============

What makes this malware so insidious is how quietly it operates. It does not need to communicate with outside networks and runs passively in the background of a device. Then, every time a user copies something into the clipboard, the malware notes the new data, and scans it looking for a cryptocurrency wallet address.

If an address is detected, the malware replaces it with an address of its own. In this way, an unwary user might think they are transferring coins between their own wallets but are, in fact, transferring funds to the operators of the malware.

The malware can look for a wide range of currencies, from Dogecoin to Monero and Ethereum, but bitcoin is by far the most common.

Researchers at Kaspersky have detected the malware in 52 countries across the globe, but the majority are in eastern Europe, with Russia ranking number one at around 16,000 infections. However, Kaspersky admits that is likely the tip of the iceberg. It began to be seen in early 2022, but infections rose dramatically into the back half of the year and peaked in January 2023.

As to the cost of the malware, Kaspersky estimates that nearly US$400,000 has been transferred to the malware’s operators. But, again, the actual amount is likely far higher.

“We believe that the actual theft is bigger because this research is focused on Tor Browser abuse,” said Vitaly Kamluk, director of Kapsersky’s global research and analysis team, in a blog post.

“There may be other campaigns, abusing different software and using other means of malware delivery as well as other types of wallets.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.