One of those links downloads a malicious Tor Browser installer. The description of the YouTube channel contains two links. It is known that cybercriminals behind the OnionPoison campaign are using a YouTube channel to distribute malicious Tor Browser installers. They may use the extracted information to blackmail victims by threatening to report them to the authorities if their browsing histories or other details would contain traces of illegal activities. Cybercriminals behind it aim to gather data that can be used to identify victims. The OnionPoison campaign is used to extract data via malicious Tor Browsers. Combo Cleaner is owned and operated by Rcs Lt, the parent company of read more.
To use full-featured product, you have to purchase a license for Combo Cleaner.
Our security researchers recommend using Combo Cleaner. To eliminate possible malware infections, scan your computer with legitimate antivirus software. Stolen passwords and banking information, identity theft, the victim's computer added to a botnet.
Infected email attachments, malicious online advertisements, social engineering, software 'cracks'. Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.
Kaspersky (), ZoneAlarm by Check Point (), Full List ( VirusTotal)Įlastic (Malicious (moderate Confidence)), Kaspersky (), Rising (Trojan.Zenpak!8.10372 (CLOUD)), Full List ( VirusTotal) In addition to collecting information, cybercriminals may try to execute shell commands on the infected computers to obtain control over them. All gathered information is sent back to the C2 server. Gathered data may also include the list of installed software, running processes, Tor Browser, Google Chrome, and Edge browsing history, and SSIDs and MAC addresses of Wi-Fi networks used by victims. Once loaded, the second stage DLL retrieves globally unique identifiers of the operating system disk volume and machine, computer name, computer geolocation, current username, and MAC addresses of network adapters. The C2 server checks the IP address of the infected computer and only sends the payload to victims located in China. Another important detail about the malicious Tor Browser is that it communicates with a C2 server to retrieve a second-stage payload. It also enables caching of pages on disk, automatic form filling and saving login data, and stores additional session data for web pages. The malicious Tor Browser stores browsing history. Two other file dropped by the malicious installer are freebl.dll (which cannot be found in the original installer) and firefox.exe (which is also present in the original installer, but it is modified in the malicious one). It drops the freebl3.dll file which can be found in the original installer, but its contents are different.
Nevertheless, the malicious installer drops different files. More about the malicious Tor browsers and their installersīoth malicious and original Tor Browser installers have the same design/user interface. Malicious Tor Browsers include a library infected with spyware that gathers personal information and sends it to a C2 server. Tor Browser is a legitimate browser that makes it more difficult to trace its user's Internet activity (it protects the user's privacy). OnionPoison is the name of a campaign used to distribute malicious Tor Browser installers.