Threat Research

Malicious Tor Browser spreads through YouTube

Securonix

OnionPoison spreads a malicious Tor Browser installer via a popular Chinese YouTube channel, luring targets to download a compromised, less-private Tor variant. The malware collects sensitive data, can run shell commands, and communicates with a C2 using encrypted channels from China-like infrastructure, masquerading behind replica Tor sites. #OnionPoison #TorBrowser #China

Keypoints

  • All detections are geographically located in China, with the C2 server restricting payload delivery to victims from China.
  • The malicious installer is unsigned and modifies included files (e.g., freebl3.dll, firefox.exe) to disable updates and reduce privacy.
  • The installer configures Tor to store history, cache pages on disk, autofill forms, and save session data, increasing data exposure risk.
  • The campaign uses a YouTube channel to host a malicious download link, leveraging social trust and channel popularity to appear legitimate.
  • The second-stage payload (cloud.dll) collects system information and sends heartbeats to the C2 every two minutes, with data encrypted during transit.
  • The C2 infrastructure employs HTTP(S) in its protocol, HMAC-SHA1-based authorization headers, XOR and RSA/ AES-ECB decryption, and reflectively loads the final payload.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – The campaign used a malicious Tor Browser installer link in a YouTube video description (‘a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet’).
  • [T1059.003] Command and Scripting Interpreter – The malware ‘provides the functionality to execute shell commands on the victim machine.’
  • [T1112] Modify Registry – The adversaries ‘generate a pseudorandom victim GUID and saves it inside in the SoftGuid value of the HKCUSOFTWAREMozillaFirefox registry key.’
  • [T1027] Obfuscated/Deobfuscated Files and Information – The ‘payload is decrypted using two XOR keys’ and then ‘the malicious DLL decompresses it’ before loading.
  • [T1041] Exfiltration Over C2 Channel – The second-stage payload is retrieved after a POST to the C2, and heartbeats are sent back with collected data (‘heartbeat messages to the C2 server every two minutes’).
  • [T1071.001] Web Protocols – The malware communicates over HTTP(S) with endpoints like ‘https://torbrowser.io/metrics/geoip’ and ‘https://tor-browser.io/metrics/geoip’ and uses POST requests for data exchange (‘POST requests to … metrics/geoip’).
  • [T1082] System Information Discovery – The second-stage DLL retrieves system information such as OS disk GUID, Machine GUID, Computer name, locale, user name, and MAC addresses.

Indicators of Compromise

  • [URL] Endpoints used by C2 – https://torbrowser.io/metrics/geoip, https://tor-browser.io/metrics/geoip
  • [URL] Heartbeat endpoints – https://torbrowser.io/metrics/heartbeat, https://tor-browser.io/metrics/heartbeat
  • [File name] torbrowser-install-win64-11.0.3_zh-cn.exe – malicious Tor Browser installer
  • [File name] freebl3.dll – replaced DLL in malicious installer
  • [File name] cloud.dll – second-stage payload DLL
  • [Hash] MD5: 9AABCABABD5B677813589F7154302EE0; SHA1: 7E8B9D2BD32B3AEA0E298B509D3357D4155AF9BC; SHA256: 877FE96CDFA6F742E538396B9A4EDB76DD269984BFB41CAD5D545E72CE28FFDE – torbrowser-install-win64-11.0.3_zh-cn.exe
  • [Hash] MD5: 87E33DF76D70103A660783C02AAC44AC; SHA1: 04C5A6543E61328B235339358D2E48C0002F0E46; SHA256: 3BA945FD2C123FEC74EFDEA042DDAB4EB697677C600F83C87E07F895FB1B55E2 – freebl3.dll
  • [Hash] MD5: 34C43C9B23B40D9D70B4530DE781F88A; SHA1: 3EBF1E989791E3743CEAC1C7B397242DD717AEA9; SHA256: E5CC91FBE01005EF058B1C1D727CFBFB584B012390106BB9C941BC9B1AA96FF7 – cloud.dll

Read more: https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint