The Clipper malware is notoriously known for stealing cryptocurrency funds and user data from targeted devices.
According to Kaspersky Labs’ findings, people in Eastern Europe and Russia are targeted by threat actors through fake Tor browser installers. These installers are capable of hijacking clipboard data to steal cryptocurrency transactions.
The latest scam should not be surprising as the Tor browser is a top priority for those seeking anonymity and privacy. In February 2023, the privacy-focused browser revealed that it has been under a relentless series of DDoS attacks, and cybercriminals have also been distributing malicious installers to steal user data.
Beware of Trojanized Tor Browser Installers
Tor Anonymity Browser is yet again the target of malicious motives as threat actors are distributing trojanized versions of the browser to infect users’ devices with Clipper malware. This malware can siphon cryptocurrency and may remain dormant for years.
The victim won’t suspect any network activity or “signs of presence” until the day the attacker decides to steal funds from the wallet, stated Kaspersky researcher and global research and analysis team (GReAT) for APAC director, Vitaly Kamluk.
Its malicious functions are triggered after the clipboard data meets pre-defined criteria. Reportedly, operators made $40,000 in profits by stealing crypto, including Bitcoin, Litecoin, Ether, and Dogecoin.
How Fake Installers are Distributed?
Kaspersky researchers are unsure how these fake Tor browser installations are distributed. However, there are indications that torrents or third-party sources may be responsible.
Once the installer has entered a system, it launches the legit executable and, at the same time launches the Clipper malware. The payload starts tracking clipboard content. If the clipboard has the text content, Clipper will scan it with “a set of embedded regular expressions;” if a match is found it is replaced with any address from a “hardcoded list,” Kamulk noted.
In fact, each analyzed sample had thousands of replacement addresses randomly selected and capable of disabling the malware through a special hotkey combination (Ctrl+Alt+F10).
How Does it Work?
The installers contain a regular but outdated Tor browser and another application hidden inside a password-protected self-extracting RAR package. The installers have language packs that allow users to select a language and feature localized names such as tor browser ru.exe.
Clipper is extracted by the archive running in the background and executed as a new process. It is also registered for system autostart, whereas the default Tor browser works in the front. The malware successfully conceals itself using the uTorrent icon.
Who are the Targets, and Why?
The team behind The Tor Project suspects that this campaign is designed to exploit the ban on the Tor browser in Russia. It is worth noting that Russia is the second-largest country, as far as global Tor usage is concerned, with over 300,000 daily visitors (15% of the Tor browser’s users).
But, the Russian government blocked the Tor website in 2021. Furthermore, threat actors usually distribute trojanized installations of Tor to users in regions where the service is illegal.
Kaspersky recorded nearly 16,000 detections, the majority registered in Ukraine and Russia, followed by China, Germany, the USA, Belarus, the UK, the Netherlands, Uzbekistan, and France. Threats were reported in 52 countries overall.
If you cannot access the Tor browser in Russia or elsewhere, consider using the Brave browser instead. It allows users to access .onion domains directly from the Brave browser using the Tor gateway.