The Tor anonymity browser is being targeted by hackers using Trojanized installers to install clipper malware and siphon cryptocurrencies from users in Russia and Eastern Europe. The malware can remain silent for years, only activating to replace a cryptocurrency wallet address with an address from a list of thousands.
It is not clear how the installers are being distributed, but evidence suggests the use of torrent downloads or an unknown third-party source.
The malware has been detected in 52 countries, and the scheme has reportedly netted almost $400,000 in illicit profits.
According to Vitaly Kamluk, the director of global research and analysis team (GReAT) for APAC at Kaspersky, the clipper malware is designed to avoid detection by only activating when clipboard data meets specific criteria.
This makes it more difficult to detect and more effective at stealing cryptocurrency.
Kamluk notes that the clipper malware is capable of scanning clipboard contents and replacing them with a randomly selected address from a hardcoded list of thousands of addresses.
While the malware has primarily targeted users in Russia and Ukraine, it has also been detected in the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France.
However, it is suspected that the campaign could be larger in scope due to the possibility that the threat actors could be leveraging other software installers and delivery methods to target unwary users.
Experts recommend downloading software only from reliable and trusted sources to prevent the spread of malware.