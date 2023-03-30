Of the installers trojanized of the TOR browser, used for online anonymity, have been used since September 2022 to target users in Russia and Eastern Europe with clipper malware designed to steal cryptocurrencies.

Tor: from “friend” to “enemy” in an instant?

“Injectors for the clipboard […] they can hang around for years, with no network activity or other signs of presence until the disastrous day they replace the crypto wallet address“, has said Vitaly Kamluk, Global Research and Analysis Team Leader (GReAT) for APAC at Kaspersky.

Another notable aspect of clipper malware is that its malicious functions are not activated unless the clipboard data meets specific criteria, making it more evasive.

It is unclear at first glance how the installers are distributed, but evidence points to the use of torrent downloads or some other unknown third-party source, as the website of the Tor Project has been subject to blocks in Russia in recent years.

Regardless of the method used, the installer simultaneously launches the legitimate executable and the clipper payload designed to monitor the contents of the clipboard.

“If the clipboard contains text, it scans its contents with a set of built-in regular expressions“ Kamluk noted. “If it finds a match, it replaces it with an address chosen randomly from a coded list“.

Each sample (of installers) is designed to have thousands of randomly selected possible replacement addresses; it also has the ability to disable malware using a special key combination (Ctrl+Alt+F10), an option that was probably added during testing.

The Russian cybersecurity firm has recorded around 16,000 detections, of which the majority are registered in Russia and Ukraine, followed by the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom and France; In short, the threat has been identified in 52 countries around the world.

The system is estimated to have netted operators nearly $400,000 in illicit profits through the theft of Bitcoin, Litecoin, Ether, and Dogecoin. It is not known how much Monero was stolen due to the privacy features integrated into the service.

It is suspected that the campaign could be larger in scope due to the possibility that threat actors could use other software installers and hitherto unseen delivery methods to target unwary users.

To protect yourself from such threats, it is always advisable to download software only from reliable and trusted sources.

In summary

It is important to take security precautions when downloading and installing software from the Internet, as attackers are always looking for new ways to spread malware.

In this case, trojanized files, TOR anonymity browser installers were used as a vector to spread the clipper malware, which aims to steal cryptocurrencies by replacing users’ cryptocurrency addresses with attacker-controlled wallet addresses.

The discovery proves that even legitimate software can be used as tools to spread malware, and that cybercriminals are constantly trying to develop new ways to bypass security measuresza.

Therefore, it is always advisable to download software only from trusted and verified sources, and to use up-to-date antivirus solutions to protect your devices. Also, users should be especially careful when dealing with cryptocurrencies and use only trusted and safe digital wallets to protect their assets.