Tor Goes Wrong: Malware Steals $400k in Cryptocurrency

Diving into details

• These fake Tor installations are often advertised as "security-enhanced" versions of the official Tor Project or distributed in countries where Tor is banned to hinder access to the official version. 
• Kaspersky detected 16,000 variations of these Tor installers in 52 countries between August 2022 and February 2023, which amassed over $400,000 in cryptocurrency. 
• A majority of the targets are located in Russia and Eastern Europe, however, the U.S., Germany, China, France, the Netherlands, and the U.K are also affected.

Coming to clipboard-injector malware

• The passive clipboard-injector malware is  protected by the Enigma packer v4.0, making analysis difficult. 
• It is suspected that the malware authors used a pirated version of the packer, as no license information was found. 
• The malware integrates with Windows clipboard viewers, receiving notifications whenever clipboard data changes. 
• It, subsequently, scans any text with a set of embedded regular expressions and replaces any matches with a randomly selected address from a hardcoded list.

Why this matters

• Despite its seemingly simple nature, this attack poses significant danger. Not only does it enable irreversible money transfers, but it is also passive and difficult for the average user to detect.
• Another factor that complicates the detection of clipboard-injectors is their payload. Unlike other malware, they do not execute their malicious payload until an external condition is met, such as the clipboard containing data of a certain format. 
• This reduces the likelihood of being spotted through automatic sandboxing.

The bottom line