A wave of trojanized Tor browser installers are targeting Russians and Eastern Europeans with clipboard-hijacking malware that steals cryptocurrency transactions from infected users.

Kaspersky analysts warn that while this attack is not new or particularly creative, it is still effective and widespread, infecting many users around the world.

While these malicious Tor installers target countries around the world, Kaspersky says most target Russia and Eastern Europe.

“We link this to the ban of the Tor Project website in Russia at the end of 2021, which was reported by the Tor project itself,” explains Kaspersky.

“According to the latter, Russia was the second country in number of Tor users in 2021 (with more than 300,000 daily users, or 15% of all Tor users).”

Malicious Tor Browser Installers

Tor Browser is a specialized web browser that allows users to browse the web anonymously by hiding their IP address and encrypting their traffic.

Tor can also be used to access special onion domains, otherwise known as the “dark web”, which are not indexed by standard search engines or accessible through regular browsers.

Cryptocurrency holders can use the Tor Browser either to enhance their privacy and anonymity when transacting with cryptocurrencies, or because they want to access illegal dark web market services, which are paid for in crypto .

Trojan-protected Tor installations are usually advertised as “security-enhanced” versions from the official vendor, Tor Project, or given to users in countries where Tor is banned, making it more difficult to download the version official.

Kaspersky says these installers contain a standard, albeit outdated version of Tor Browser in most cases, plus an additional executable hidden in a password-protected RAR archive set to self-extract to the user’s system.

Installers are also localized with names like “torbrowser_ru.exe” and contain language packs allowing users to select their preferred language.

While the standard Tor browser is launched in the foreground, the archive extracts the malware in the background and runs it as a new process while registering it on system autostart. Moreover, the malware uses a uTorrent icon to hide on the hacked system.

Kaspersky detected 16,000 variants of these Tor installers between August 2022 and February 2023 in 52 countries, based on data from users of its security products.

While the majority target Russia and Eastern Europe, they have also been seen targeting the US, Germany, China, France, the Netherlands and the UK.

Clipboard hack

Since cryptocurrency addresses are long and complicated to type, it is common to first copy them to the clipboard and then paste them into another program or website.

The malware monitors the clipboard for recognizable crypto wallet addresses using regular expressions and, when it detects one, replaces it with an associated cryptocurrency address held by cryptocurrency actors. the threat.

When the user pastes the cryptocurrency address, the threat actor’s address will be pasted instead, allowing attackers to steal the sent transaction.

Kaspersky claims the threat actor uses thousands of addresses on each malware sample, randomly selected from a hard-coded list. This makes tracking, reporting and banning wallets difficult.

The cybersecurity firm unpacked hundreds of malware samples it had collected to extract alternate addresses and discovered they had stolen nearly $400,000, excluding Monero, which cannot be found.

This is money stolen only from a single campaign operated by a specific malware writer, and there are almost certainly other campaigns using trojanized installers for different software.

To stay safe from clipboard hackers, only install software from trusted/official sources, in this case, the Tor Project website.

A simple test to check if a clipper has infected you is to copy and paste this address into your Notepad: bc1heymalwarehowaboutyoureplacethisaddress.

If it is changed, it means your system is compromised.