Kaspersky security researchers have discovered a malicious Tor browser spreading through popular Chinese YouTube channels . The channel has more than 180,000 subscribers, and the related video has been viewed more than 64,000 times. The video was uploaded in January 2022, and Kaspersky’s investigation shows that the earliest victims appeared in March 2022. Security researchers named the attack OnionPoison, the malicious version of Tor browser is torbrowser-install-win64-11.0.3_zh-cn.exe, no digital signature, the installer is compiled with Visual Studio 2003–7.10 SDK, and its privacy settings Weaker than the original, bundled with the malicious component freebl3.dll, the original also has this file but the malicious version is completely different, the browser has disabled updates to prevent the malicious version of freebl3.dll from being overwritten. freebl3.dll will send a request to the C2 server, C2 will determine the IP address location, and if it is in a specific area, it will download the subsequent malicious payload cloud.dll to collect more information. The information collected includes installed software, running processes, Tor browser history, Google Chrome and Edge browser history, WeChat and QQ IDs, SSID and MAC of Wi-Fi networks, and more.
This article is reproduced from: https://www.solidot.org/story?sid=72968
This site is for inclusion only, and the copyright belongs to the original author.