Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons money from cryptocurrency wallets. Kaspersky has detected these attacks in more than 52 countries, with most of them coming from Russia, where access to Tor is blocked.
One attack, named EgotisticalGiraffe after an NSA manual for operational management procedures, exploits a type confusion vulnerability in Firefox’s E4X library.
EgotisticalGiraffe
According to a training presentation leaked by Snowden, EgotisticalGiraffe is a tool that allows the NSA to strip Tor’s encryption. It exploits a type confusion vulnerability in the E4X library, an XML extension for JavaScript. The library is used by Firefox, and a version with the EgotisticalGiraffe flaw was included in the Tor browser bundle until recently.
Because Tor is a well-designed and robust anonymity tool, it is difficult to attack it directly. Instead, the NSA attacks Tor users through vulnerabilities in their Firefox browsers. The programs that attack Tor users are called Mjoliner, Mullenize, and EgotisticalGiraffe. Each has a zoological theme.
FoxAcid
The National Security Agency’s (NSA) system of hacking Tor users is known as FoxAcid. The system, described in a top-secret NSA presentation leaked by Snowden, targets Tor users by exploiting vulnerabilities in their Firefox browsers. The system uses a set of secret Internet servers to identify Tor users and then attacks their computers. The attack is designed to ensure that the computer remains compromised long-term, allowing the NSA to continue eavesdropping on its targets.
Specifically, the NSA’s version of Firefox exploits a series of vulnerabilities in the browser’s native functionality. These bugs are not related to the Tor software, but rather how the browser interacts with other services on the Internet. Once the browser is infected, it is redirected to a series of Web pages hosted on servers that mimic legitimate sites. These Web pages are designed to infect the browser with malware that can compromise a Tor connection. Security expert Bruce Schneier calls the technique “man in the middle attack,” which allows a server to intercept and manipulate real-time communications between two computers.
Once the NSA’s Quantum servers redirect the browser to a FoxAcid server, the server selects an exploit from its toolkit to use against the victim’s computer. This toolkit includes both public exploits that rely on software being out of date and zero-day exploits, which are saved for the most valuable targets.
If the NSA is targeting high value targets, it will likely use a rare zero-day exploit, but it might also opt to install less costly malware on the target machine. The NSA can then call back to the victim’s computer, using tools such as SECONDDATE and MAGIC SQUIRREL or man-in-the-middle Wi-Fi attacks code-named QUANTUMCOOKIE and EGOTISTICALGIRAFFE.
China’s cybersecurity authority has warned that a US National Security Agency cyberattack targeting research institutes could be the first of many to hit the country. It has warned that government, academic and business bodies around the world should be aware of the threat and take precautions. The attack is likely linked to a Trojan horse program named Validator, which was recently found in hundreds of key information systems at Chinese research institutes.
OnionDuke
Earlier this year security researcher Josh Pitts uncovered malware that uses the anonymizing Tor network to infect executable files with a backdoor. He’s now releasing the code that lets anybody rig their own Tor exit nodes to spread the malware, and he’s planning to demonstrate how to do it at next month’s Blackhat conference in Las Vegas.
Pitts has been working on a new project called the Tor Backdoor Factory, which is designed to make it easy to create and distribute malicious software that can be launched through the Tor network. The site’s open source, and anyone can use it to try out different attack scenarios. He plans to release the toolkit next month, and he’s also working on a version that can be used by professional hackers.
The new toolkit will allow users to create customized attacks based on the target they’re targeting, the type of information they want to steal and other factors. It’s possible to target specific regions, and the toolkit will also be able to bypass anti-virus products from big vendors like McAfee and Symantec.
OnionDuke is an advanced persistent threat (APT) that aims to steal information from targets. It has been linked to the Dukes, a group of well-funded and dedicated cyber espionage hackers that has been linked to the Russian government since 2008.
Infected computers are given a backdoor that connects to various command and control servers. The malware then downloads and executes additional components. The components can be found on websites that have been hacked by the attackers. The malware can then evade detection by connecting to fake domains and communicating with C&C servers using different encryption algorithms.
Researchers believe that OnionDuke has been around for a long time. The timestamps analyzed by F-Secure suggest that the oldest samples are from October 2013. The malware has also been known as CozyDuke, and it’s a member of the same family as MiniDuke, which is believed to be tied to the Russian government.
CozyDuke has been linked to targeted attacks against NATO and European government agencies. It has been described as a data-mining APT and shares commands and control infrastructure with other APTs including MiniDuke and OnionDuke.
