Researchers at Kaspersky have found malware hidden in a modified version of the anonymity-preserving Tor Browser, distributed in a way that specifically targets users in China.
According to details published in a blog post on Tuesday, the malware campaign reaches unsuspecting users through a Chinese-language YouTube video about staying anonymous online. During the research period, the video was the top result for the YouTube query “Tor浏览器,” which translates to “Tor browser” in Chinese. Beneath the video, one URL links to the official Tor website (which is blocked in China); another provides a link to a cloud-sharing service that hosts an installer for Tor, modified to include malicious code.
Once the file is executed, it installs a working version of Tor Browser on the user’s machine. But the browser has been modified so as to save details of browsing history and any form data entered by the user, which the genuine version of Tor Browser forgets by default.
Even more concerning, the malicious version of the browser also attempts to download a further malware payload from a remote server, which the researchers say is only installed on machines with an IP address located in China. When the second-stage malware is installed on a target machine, it retrieves details like the computer’s GUID — a unique identifying number — along with system name, current user name, and MAC address (which identifies the machine on a network).
All of this information is sent to a remote server, and according to Kaspersky’s analysis, this server can also request data on the system’s installed applications, browser history — including the fake Tor Browser — and the IDs of any WeChat and QQ messaging accounts present on the computer.
Notably, the malware seems designed to identify the user rather than steal data that could be sold for profit. “Unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets,” Kaspersky researchers note. “Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks.”
The result is a powerful and comprehensive surveillance program targeted specifically at Chinese internet users. Together, the data obtained would be enough to build a comprehensive profile of a user’s identity and internet usage habits, even as they browsed with software that they believed would keep them anonymous.
The best protection against this kind of attack is to download software only from a trusted source — in this case, the official Tor Project portal — but China’s extensive internet censorship makes this difficult for many users in the country. By default, the Chinese government blocks access to a huge range of websites that might distribute information critical of the ruling Communist Party, including basic applications like Twitter, Instagram, and Gmail.
In censored areas, users can download Tor through the GetTor Telegram bot, or by emailing firstname.lastname@example.org.