Heimdal
Home > Cybersecurity News

YouTube Channel Caught Distributing Malicious Installer

Corrupted Version of Tor Browser Targeting Chinese Users.

Last updated on October 5, 2022

article featured image

Contents:

A popular Chinese-language YouTube channel was discovered to be a means of distributing a trojanized version of a Windows installer for the Tor Browser, echoing other events directed at the paltform`s users.

The malicious version of the Tor Browser installer is being spread via a link present in the description of a video dating back to YouTube on January 9. The video has over 64,500 views and is still available to watch on the social media platform.

Source

Particularities of the Attack

While the actual Tor Browser website is blocked in China, users from this country often resort to downloading Tor from third-party websites. The attack takes advantage of this by tricking unsuspecting users searching for “Tor浏览器” (i.e., Tor Browser in Chinese) on YouTube into potentially downloading the rogue variant.

Clicking on the link brings forward a 74MB executable that, once installed, is designed to store users’ browsing history and data entered into website forms.

More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server

Source

When Tor Browser (either the legitimate or the infected one) starts up, it loads the freebl3.dll library into the address space of a firefox.exe process. The weaponized freebl3.dll library establishes contact with a remote server that responds back with a second-stage payload containing the spyware, but only when the IP address of the victim originates from China.

The event, which received the name OnionPoison, seems to target China-based users exclusively but the exact number of victims is yet to be known. Unlike other types of browser hijacking, OnionPoison is not designed to gather user passwords, session cookies, or wallet data. Rather, it seems to identify its victims through their browsing histories, social networking account IDs, and Wi-Fi network SSIDs.

If you liked this article, follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Related Articles

YouTube Creators Have Their Accounts Stolen by the New YTStealer MalwareChinese State-backed Actors Hack Telecom Firms to Steal DataYouTube Used to Push Password-Stealing MalwareRussian Threat Actors Tempt YouTubers with Bogus Paid Collaborations to Hijack their AccountsBrowser Hijacking: Definition, Removal and Prevention Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V