Researchers have discovered a trojanized version of a Tor private browser that targets Russian-speaking dark web marketplace visitors and lets cybercriminals steal from their e-wallet transactions.

The developers behind the malicious browser have so far stolen at least $40,000 in bitcoin, although the true number is likely higher. Researchers from ESET discovered a version of the trojanized app that was modified from the legitimate January 2018 release of Tor Browser 7.5. However, the cybercriminal operation dates back even further to at least 2017, while two malicious domains used to distribute the malware were created way back in 2014, ESET has reported in a blog post authored by company researcher Anton Cherepanov.

The trojanized browser works the same as the authentic version, but with several key changes. While the criminals didn’t tinker with the code, they did change the default browser settings and some extensions. For starters, the malicious actors behind this scheme have disabled a signature check process for installed add-ons. This allows the adversaries to introduce malicious add-ons without having to worry about being flagged by a digital signature check.

One example of such a malicious add-on is a modified version of HTTPS Everywhere included with the browser, which downloads a JavaScript payload onto every web page, in the context of that page. This allows the criminals to serve a variety of page-customized payloads. So far, however, the criminals have stuck to one payload: a web inject capable of actions such as form grabbing, scraping and injecting content and displaying fake messages, ESET explained.

Using this payload, the cybercriminals have targeted users of three of the largest Russian-speaking dark web marketplaces by tampering with e-wallets located on the pages of these markets. The attack works on both conventional bitcoin wallets as well as wallets associated with the Russian money transfer service QIWI. When victims visit their profile page to add funds to their account, the trojanized app switches their intended address to an attacker-controlled address.

The developers of the trojanized app also disabled updates so that users cannot update the browser to a newer, legitimate version of the software.

To encourage downloads of the trojanized app, the cybercriminals behind it created a pair of Russian language websites. One site falsely states that the visitor’s computer possesses an outdated Tor browser. “Your anonymity is in danger!” the page warns in hopes of persuading the reader to click an “Update” button. Doing so takes the potential victim to the second site from which they download the trojanized browser. That second page’s URL address, torproect[.]org, is just one letter character different from the real torproject.org site.

The cybercriminals promoted these two web pages via spam messages on various Russian forums that specialize in topics like darknet markets, cryptocurrency, internet privacy and censorship bypass. The malicious actors also created four Pastebin accounts generated various pastes to promote the domains, all of which viewed more than 500,000 times. One such paste said (in Russian), “BRO download Tor Browser so the cops won’t watch you.”