Cybersecurity researchers have identified multiple infections via malicious Tor Browser installers spread via an explanatory video about the Darknet on YouTube.
The discovery comes from Kaspersky, which said in an advisory published earlier today that the channel in question has more than 180,000 subscribers, while the view count on the video with the malicious link exceeds 64,000.
By adding a link to an infected version of Tor Browser in the description bar of the video, cyber–criminals, dubbed 'OnionPoison' by the security firm, spread malware that could collect victims’ data and obtain complete control over their computers via shell commands.
“Most of the affected users were from China,” Kaspersky wrote. “As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third–party websites. And cyber–criminals are keen on spreading their malicious activity via such resources.”
From a technical standpoint, Kaspersky said the analyzed version of Tor Browser is configured to be less private than the original software tool.
In fact, the malicious variant not only stored browsing history and all the data the user entered into website forms but also distributed spyware to collect personal data and send it to the hackers’ server.
“Curiously, unlike many other stealers, OnionPoison does not seem to show a particular interest in collecting users’ passwords or wallets,” Kaspersky explained.
“Instead, they tend to be more interested in gathering victims’ identifying information which can be used to track down the victims’ identities, such as browsing histories, social network account IDs and WiFi networks.”
According to Kaspersky, the tactic is concerning as it hints at interest by the attacker to move from digital to real life.
“The attackers can gather information on the victim’s personal life, his family or home address. Additionally, there are cases when the attacker used the obtained information to blackmail the victim.”
Kaspersky warned companies and individuals against downloading software from suspicious third–party websites to reduce the risks of becoming victims of such malicious campaigns.
“If using official websites is not an option for you, it is possible to verify the authenticity of installers downloaded from third–party sources by examining their digital signatures.”
The advisory comes months after Tor Project updated its flagship anonymizing browser to make it easier for users to evade government attempts to block its use in various regions.
More recently, hacker groups reportedly used the tool to assist protestors in Iran.