Popular YouTube Channel Caught Distributing Malicious Tor Browser Installer

A popular Chinese-language YouTube channel has emerged as a means to distribute a trojanized version of a Windows installer for the Tor Browser.

Kaspersky dubbed the campaign OnionPoison, with all of the victims located in China. The scale of the attack remains unclear, but the Russian cybersecurity company said it detected victims appearing in its telemetry in March 2022.

The malicious version of the Tor Browser installer is being distributed via a link present in the description of a video that was uploaded to YouTube on January 9, 2022. It has been viewed over 64,500 times to date.

The channel hosting the video has 181,000 subscribers and claims to be based in Hong Kong. The video is still available to watch on the social media platform as of writing.

The attack banks on the fact that the actual Tor Browser website is blocked in China, thus tricking unsuspecting users searching for “Tor浏览器” (i.e., Tor Browser in Chinese) on YouTube into potentially downloading the rogue variant.

Clicking on the link redirects the user to a 74MB executable that, once installed, is designed to store users’ browsing history and data entered into website forms.

“More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server,” Kaspersky researchers Leonid Bezvershenko and Georgy Kucherin said.

The weaponized freebl3.dll library achieves this by establishing contact with a remote server that responds back with a second-stage payload containing the spyware, but only when the IP address of the victim originates from China.

The spyware module further provides the functionality to exfiltrate a list of installed software and running processes, browser histories, victims’ WeChat and QQ account IDs, in addition to executing arbitrary shell commands on the victim machine.

What’s notable about the command-and-control server (torbrowser[.]io) is that it’s a visual replica of the original Tor Browser website and its download links lead to the legitimate Tor Browser portal.

The development echoes another campaign in which gamers looking for cheats and cracks on YouTube are being directed to videos containing links to a malicious archive file distributing information stealers and cryptocurrency miners. Google has since terminated the hacked channels.

The Hacker News has reached out to the internet giant for comment regarding the latest findings, and we will update the story if we hear back.