While performing regular threat hunting activities, we identified multiple downloads of previously unclustered malicious Tor Browser installers. According to our telemetry, all the victims targeted by these installers are located in China. As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third-party websites. In our case, a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet. The channel has more than 180,000 subscribers, while the view count on the video with the malicious link exceeds 64,000. The video was posted in January 2022, and the campaign’s first victims started to appear in our telemetry in March 2022.

The installation of the malicious Tor Browser is configured to be less private than the original Tor. Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.

We decided to dub this campaign ‘OnionPoison’, naming it after the onion routing technique that is used in Tor Browser.

Screenshot of the video with a link to the malicious Tor Browser installer in the description section

Screenshot of the video with a link to the malicious Tor Browser installer in the description section

Initial infection

Victims of the OnionPoison campaign likely reach the video with the malicious link after a YouTube search. The video heads the list of search results for the ‘Tor浏览器’ (‘Tor Browser’ in Chinese) query. The description of the video contains two links: the first one goes to the official Tor Browser website, while the other leads to a malicious Tor Browser installer executable hosted on a Chinese cloud sharing service. As the original Tor website is banned in China, viewers of the video have to navigate to the cloud sharing service link in order to download the browser.

Download page of the malicious Tor Browser installer

Download page of the malicious Tor Browser installer

The malicious installer

MD59AABCABABD5B677813589F7154302EE0
SHA17E8B9D2BD32B3AEA0E298B509D3357D4155AF9BC
SHA256877FE96CDFA6F742E538396B9A4EDB76DD269984BFB41CAD5D545E72CE28FFDE
Link time2021-Sep-25 21:56:47
File typePE32+ executable (GUI) x86-64, for MS Windows
CompilerVisual Studio 2003 – 7.10 SDK
File size74 MB
File nametorbrowser-install-win64-11.0.3_zh-cn.exe

The user interface of the malicious Tor Browser installer is identical to the original one. However, the malicious installer does not have a digital signature, and some of the files dropped by the malicious installer differ from the ones bundled with the original installer:

File nameComment
freebl3.dllThe file freebl3.dll is present in the original Tor Browser installer; however, its contents are entirely different from the DLL in the malicious installer
freebl.dllA file with this name is found only in the malicious installer. It is a copy of the freebl3.dll library from the original installer
firefox.exeThe executable in the infected installer differs from the original by only one byte: the infected installer contains the string https://aus1.torproject.org/torbrowser/update3/%CHANNEL%/%BUILD, while the corresponding string in the original installer is https://aus1.torproject.org/torbrowser/update_3/%CHANNEL%/%BUILD. By replacing the underscore with a dash, adversaries prevented the malicious Tor Browser installation from updating. They have likely disabled updates in order to prevent overwriting of the modified freebl3.dll library.

What is also interesting about the malicious Tor Browser installation is that the adversaries made it less private. By modifying the defaultspreferences00-tor-browser.js configuration file that is stored in the browseromni.ja archive, they have configured Tor to:

  • Store the browsing history;
  • Enable caching of pages on disk;
  • Enable automatic form filling and memorization of login data;
  • Store extra session data for websites.

Snippets of the modified (left) and original (right) 000-tor-browser.js file

Snippets of the modified (left) and original (right) 000-tor-browser.js file

The freebl3.dll library

MD587E33DF76D70103A660783C02AAC44AC
SHA104C5A6543E61328B235339358D2E48C0002F0E46
SHA2563BA945FD2C123FEC74EFDEA042DDAB4EB697677C600F83C87E07F895FB1B55E2
Link time2021-Dec-21 09:44:08
File typePE32+ executable (DLL) (GUI) x86-64, for MS Windows
CompilerVisual Studio 2010 – 10.10 SP1
File size114 KB
File namefreebl3.dll

When Tor Browser (either the legitimate or the infected one) starts up, it loads the freebl3.dll library into the address space of a firefox.exe process. In the case of the infected browser installation, the adversaries replaced this library with a malicious one. To ensure Tor functions correctly, this malicious library proxies all its exports to freebl.dll (a copy of the original freebl3.dll library).

Forwarded exports of the malicious freebl3.dll library

Forwarded exports of the malicious freebl3.dll library

Upon startup, the malicious library creates a mutex with the name GlobalTBrowser that prevents two instances of the malware from running at the same time. It then pseudorandomly chooses one of the following C2 server URLs and makes a POST request to it:

  • https://torbrowser.io/metrics/geoip
  • https://tor-browser.io/metrics/geoip

Interestingly, the POST request made to the C2 server contains the following headers:

Header nameHeader data
DateCurrent date and time in GMT format (e.g., Mon, 10 Aug 2022 11:21:55 GMT)
User-AgentDefault User Agent obtained through the ObtainUserAgentString API function
HostC2 server address
AuthorizationContains a HMAC-SHA1 signature of the request data (example header value: Authorization: SIGN QbqCdtmBBk3uH2Zj:gNe34o6RkQ/Hn82bRPSk7q1DO8w=). Here QbqCdtmBBk3uH2Zj is an identifier of the HMAC key, and gNe34o6RkQ/Hn82bRPSk7q1DO8w= is a Base64-encoded HMAC-SHA1 hash. This hash is formed from a string containing:

  • The request type (POST);
  • The MD5 hash of the request body (empty in this case);
  • The current date and time;
  • The request’s relative URL (/metrics/geoip in this case).

In response to the POST request, the C2 server returns a blob containing an encrypted second stage payload. This payload is decrypted using two XOR keys: the first key is derived from the payload length, while the second key is D65CB35A-58CB-4456-A7B7-E1B218770A9E. After decrypting the blob, the malicious DLL decompresses it using the RtlDecompressBuffer function, thus obtaining another DLL file. The malware then reflectively loads this DLL and invokes its entry point function.

Obtaining the DLL from the C2 infrastructure

During our research, we attempted to communicate with the C2 server and retrieve the second stage DLL. At first, the server did not return the DLL in response to our POST request. Then, through trial and error, we discovered that the C2 server checks the IP address of the victim machine and only dispatches the payload to victims from China. After making a POST request from a machine with a Chinese IP address, we successfully downloaded the second stage DLL. We can therefore say that the OnionPoison campaign targets users that are located in China. Another thing to note is that the IP address check makes it difficult to obtain the second stage payload via automated malware analysis sandboxes.

The second stage DLL

MD534C43C9B23B40D9D70B4530DE781F88A
SHA13EBF1E989791E3743CEAC1C7B397242DD717AEA9
SHA256E5CC91FBE01005EF058B1C1D727CFBFB584B012390106BB9C941BC9B1AA96FF7
Link time2022-Feb-16 09:56:56
File typePE32+ executable (DLL) (GUI) x86-64, for MS Windows
CompilerVisual Studio 2010 – 10.10 SP1
File size788 KB
File namecloud.dll

When loaded, the second stage DLL retrieves the following system information:

  • GUID of the operating system disk volume;
  • Machine GUID;
  • Computer name;
  • Computer locale;
  • Current user name;
  • MAC addresses of network adapters.

If launched for the first time on the victim machine, the DLL also generates a pseudorandom victim GUID and saves it inside in the SoftGuid value of the HKCUSOFTWAREMozillaFirefox registry key.

After collecting system information, the DLL starts sending heartbeat messages to the C2 server every two minutes. The body of every heartbeat message contains a JSON object with collected system information. Heartbeats are sent as POST requests to either the https://torbrowser.io/metrics/heartbeat or the https://tor-browser.io/metrics/heartbeat URL. The DLL also encrypts the request body by first encrypting it with a pseudorandom AES-128 (ECB) key and then encrypting the AES key with an RSA public key specified in the configuration.

In response to heartbeats, the C2 server may request to collect the following additional information:

  • Installed software;
  • Running processes;
  • TOR browser history;
  • Google Chrome and Edge history;
  • IDs of WeChat and QQ accounts that belong to the victim;
  • SSIDs and MAC addresses of Wi-Fi networks to which the victims are connected.

The collected additional information is sent to the C2 server together with the next heartbeat message.

In addition to that, the C2 server may request to execute an arbitrary shell command on the victim machine. To do so, the DLL creates a new cmd.exe process, passing the command as an argument. It also redirects the output of the command line process to a pipe that is later used to retrieve the command execution results. Once the shell command finishes executing, its results are encrypted (also with a combination of symmetric and asymmetric cryptography) and sent via a POST request to either the https://torbrowser.io/metrics/geoip or the https://tor-browser.io/metrics/geoip URL.

An interesting fact about the C2 server websites is that they are visually identical to the original Tor Browser website. The browser download links on the replica website lead to the legitimate Tor Browser website.

Screenshot of the torbrowser[.]io webpage

Screenshot of the torbrowser[.]io webpage

Victims

According to our telemetry, all detections appear to be geographically located in China. This was to be expected because, as we mentioned above, the C2 server checks that the external IP address of the victim’s machine originates from China.

Conclusion

In this campaign, the attackers use anonymization software to lure targets. Placing a link on a popular YouTube channel makes the malicious Tor Browser installer appear more legitimate to potential targets. Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. The attackers can search the exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities. In the past, we have also seen cases where law enforcement agencies, for instance, the FBI, have used 0-days to unmask the identity of Tor users involved with darknet pedophile websites. Another similar case involved the distribution of OnionDuke malware through injections into unencrypted HTTP connections on TOR exit nodes.

Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures. A legitimate installer should have a valid signature, and the company name specified in its certificate should match the name of the software developer.

Posted by Charlie