Malicious Tor installers distributed via YouTube


A popular Chinese-language YouTube channel shared a link to a malicious Tor installer to collect personal data and give an attacker control over the victim’s machine.

Tor, used to bypass censorship and surveillance and enjoy anonymity, is blocked in China. As a result, many Chinese resort to downloading Tor from third-party websites.

Kaspersky observed a Chinese-language YouTube channel with more than 180,000 subscribers distributing a malicious Tor installer via a video posted in January.

The malicious Tor version stores browsing history and is configured to enable caching of pages on disk, automatic form filling and memorization of login data, and storing extra session data for websites.

“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it,” Kaspersky said, dubbing this campaign OnionPoison.

At first glance, the malicious installer looks identical to the original one, giving potential victims no reason to worry. However, it does not have a digital signature, and some files differ from the original installer’s files.

“Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies, or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs, and Wi-Fi networks,” Kaspersky said.

The OnionPoison campaign targets users located in China. To avoid falling victim to similar incidents, you should only download software from original websites.

“If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures. A legitimate installer should have a valid signature, and the company name specified in its certificate should match the name of the software developer,” Kaspersky said.