Home / Industry

Rogue Tor Browser: When Search for Anonymity Leads to Exposure Instead

Anyone who wishes to browse the Internet without the prospect of being spied upon by others, whether for legal or illegal purposes, can always rely on using the Tor browser if they’re so inclined. But for countries where Tor usage is deemed unlawful, accessing the browser’s official download page may not be an option.

That said, users decided on using the Tor browser may need to rely on relatively unknown and possibly accessible download sites. Therein may lie the problem, given that some like the recently publicized malicious download link distributed via YouTube, could be distributing a poisoned version.

To ensure protection, WhoisXML API researchers sought to expand a list of indicators of compromise (IoCs) containing two domains—torbrowser[.]io and tor-browser[.]io—published by AlienVault. Our in-depth investigation revealed:

  • Four shared IP addresses to which the IoCs resolved, one of which is malicious
  • At least 302 domains that shared the IoCs’ IP hosts, one of which is classified as a malware host
  • 113 additional domains containing the string “torbrowser,” one of which is a confirmed spam host

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know Already about the Malicious Tor Browser Installer

Kaspersky published a report on the malicious installer early this month, dubbing it “OnionPoison.” It was being widely distributed via a popular Chinese YouTube channel devoted to promoting anonymity on the Web.

Contrary to the Tor browser’s promise, OnionPoison was designed to steal all the information they stored in their browsers and entered into web forms. All this is sent to the attackers’ command-and-control (C&C) server.

As making the Internet safer for all is our primary goal, we hope to expand the list of IoCs by identifying connected artifacts that could put those duped by OnionPoison at great risk.

IoC List Expansion Details

Using the two domains identified as IoCs as DNS lookup search terms provided four unique IP addresses to which they resolved, namely:

  • 172[.]67[.]203[.]37
  • 104[.]21[.]74[.]133
  • 104[.]21[.]87[.]4
  • 172[.]67[.]139[.]26

Malware checks showed that one of the IP hosts—172[.]67[.]203[.]37—requires blocking, as several malware engines deemed it malicious. All of them are geolocated in the U.S. and indicated Cloudflare, Inc. as Internet service provider (ISP).

To identify additional threat artifacts, we subjected the IP addresses to reverse IP lookups that led to the discovery of at least 302 domains. One of them—disasgar[.]xyz—should particularly be avoided since it’s been dubbed a malware host. Currently, though, a screenshot lookup for it led to an error page.

Screenshot of malicious site disasgar[.]xyz

We then looked for more domains containing the string “torbrowser” via Domains & Subdomains Discovery. Our investigation uncovered 113 additional artifacts.

While only one of the additional “torbrowser” domains was dubbed “malicious” by various malware engines—torbrowser-rus[.]ru, six could pose dangers should the download buttons for the supposed Tor browser turn out to be malware-laden. These sites are torbrowser[.]in, torbrowser[.]nl, torbrowser[.]top, torbrowserpro[.]ru, torbrowserwin[.]com, and torbrowser-free[.]ru.

As the screenshots show, computers regardless of operating system (OS) could get infected. A bulk WHOIS lookup for the domains also revealed that none of them were owned by the Tor Project, given that their records don’t share “The Tor Project, Inc.” as registrant organization with the legitimate domain torproject[.]org.

Online anonymity isn’t easy to procure. In OnionPoison’s case, instead of guaranteeing one’s privacy, the tool steals precious personal data and more instead. Avoiding access to the IoCs and additional artifacts obtained via WHOIS, IP, and DNS intelligence sources featured here, however, could be a step toward DNS security.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API