Tor’s Lookalike Loots $400k in Crypto

A malware attack disrupts the cryptocurrency space with a $4,00,000 crypto theft. Camouflaged as Tor Browser Installer, this clipboard injector malware stole approximately $4,00,000 in cryptos from around 16,000 users worldwide, says Kaspersky researchers.

It’s being said that the Kremlin’s ban and subsequent censorship after removing the outright ban on the Tor project somehow pushed the numbers of Russian victims in the scam.

The Tor Project called to help keep Russian users connected to Tor to circumvent censorship.Vitaly Kamluk, Kaspersky Official

Responding to the scammers’ call, users started downloading trojanized Tor Browser bundles, which later led to this gigantic theft. These attacks feature an identical pattern – the targets download borked Tor Browsers from a third-party store. It sports a password-protected RAR archive, which helps skip security protection. In addition, it features a command line RAR extraction tool.

GAlthough the attack has affected users in 52 countries, most cases came from Russia, Ukraine, and the United States.

Upon successful completion of the download, the malware starts its work. Usually, it fools the users by presenting itself as a common application icon. The malware thoroughly scrutinizes the downloaders’ clipboard data, and upon detecting a crypto wallet address, it replaces it with inputs controlled by the hacker.

The Complex Calculation

The scammers seem to have worked hard to make the malware perfect and functional. They have protected it with Enigma Packer V4.0, which made analysis even more complex. The threat hunters could compute the total losses by collecting numerous malware samples, removing them from Enigma, and extracting the crypto wallet replacement addresses.

Depending on the said calculation methodology, it’s being estimated that the crypto theft, which is worth $4,00,000, includes different currencies like Bitcoin ($3,81,237), Ethereum ($4,833), Litecoin ($10,554), Dogecoin ($570). Kamluk, the Kaspersky official, believes that the actual theft is even bigger as the research focuses only on Tor Browser abuse. There may be different campaigns and different modes of malware delivery that probably have made holes in other digital wallets.

WWhile the attack has been planned around a fundamentally simple concept, it may harbor more danger than one could imagine.

Experts have started exploring ways to prevent such crypto-stealing campaigns. For instance, it’s being suggested to download installers from the official Tor project instead of third-party websites. These installers are digitally signed and are expected to be malware-free.

The primary concern is that the malware is passive, and heuristics can hardly detect it. What’s more concerning is the malware can silently hide in the user’s device for years. They may not show any network activity, nor can their presence be detected from other visible signs. The user can discover it on the disastrous day when it finally steals your money, identity, crypto, or other digital valuables.

Krishi Chowdhary

Krishi is an enthusiastic B2B and B2C content writer, always on the lookout to simplify software purchase decisions for businesses and help them improve their online presence and SEO.

Krishi's particular expertise includes writing educational material on customer relationship management (CRM) software and project management tools to help small business maximize their revenue.

Alongside his writing and blogging work, Krishi's other hobbies include studying the financial markets and cricket.

View all posts by Krishi Chowdhary