Trojanized TOR Browser Installers Spreading Crypto-Stealing Clipper Malware

Trojanized TOR Browser Installers Spreading Crypto-Stealing Clipper Malware

Trojanized installers for the TOR anonymity browser are being used to target users in Russia and Eastern Europe with clipper malware designed to siphon cryptocurrencies since September 2022.

“Clipboard injectors […] can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a crypto wallet address,” Vitaly Kamluk, director of global research and analysis team (GReAT) for APAC at Kaspersky, said.

Regardless of the method used, the installer launches the legitimate executable, while also simultaneously launching the clipper payload that’s designed to monitor the clipboard content.

Each sample is packed with thousands of possible replacement addresses that’s selected at random. It also comes with the ability to disable the malware by means of a special hotkey combination (Ctrl+Alt+F10), an option likely added during the testing phase.

It’s suspected that the campaign could be larger in scope due to the possibility that the threat actors could be leveraging other software installers and hitherto unseen delivery methods to target unwary users.

To secure against such threats, it’s always recommended to download software only from reliable and trusted sources.