The YouTube app logo is seen on a television screen. (Photo by Chris McGrath/Getty Images)

Kaspersky researchers noticed a rather clever way threat actors are deceiving users in China into downloading a malicious Tor browser installer that can be used to track the history and location of its victims.

The website for the Tor browser is banned in China, so users often resort to using third-party sites to download the contraband browser. In this case, the Kaspersky researchers say their telemetry detected the malicious installers via a link on a popular Chinese-language YouTube channel devoted to anonymity on the internet that has over 180,000 subscribers. 

The video with the link to the malicious installer first appeared on the YouTube channel in January, with victims starting to appear in March; it has been viewed over 64,000 times.

The Kaspersky researchers dubbed the campaign “OnionPoison” after Tor’s onion routing technique for anonymous communications, adding: “Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.”

The links are embedded in the description of the video, and since Tor is banned in China, users there are forced to download the malicious installer that’s hosted on a Chinese cloud-sharing service. The researchers note that one of the stages of the malware only deploys on machines with a Chinese IP address.

“We can therefore say that the OnionPoison campaign targets users that are located in China.”

If installed, the command-and-control server may request history from the Tor, Chrome and Microsoft Edge browsers, identities of WeChat and QQ accounts, and SSIDs and MAC addresses of WiFi networks. 

The Kaspersky researchers concluded: “Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. The attackers can search the exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”

Check out the original blog post on the Kaspersky website for more details on this threat.