Anyone who wishes to browse the Internet without the prospect of being spied upon by others, whether for legal or illegal purposes, can always rely on using the Tor browser if they’re so inclined. But for countries where Tor usage is deemed unlawful, accessing the browser’s official download page may not be an option.

That said, users decided on using the Tor browser may need to rely on relatively unknown and possibly accessible download sites. Therein may lie the problem, given that some like the recently publicized malicious download link distributed via YouTube, could be distributing a poisoned version.

To ensure protection, WhoisXML API researchers sought to expand a list of indicators of compromise (IoCs) containing two domains—torbrowser[.]io and tor-browser[.]io—published by AlienVault. Our in-depth investigation revealed:

• Four shared IP addresses to which the IoCs resolved, one of which is malicious
• At least 302 domains that shared the IoCs’ IP hosts, one of which is classified as a malware host
• 113 additional domains containing the string “torbrowser,” one of which is a confirmed spam host

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know Already about the Malicious Tor Browser Installer

Kaspersky published a report on the malicious installer early this month, dubbing it “OnionPoison.” It was being widely distributed via a popular Chinese YouTube channel devoted to promoting anonymity on the Web.

Contrary to the Tor browser’s promise, OnionPoison was designed to steal all the information they stored in their browsers and entered into web forms. All this is sent to the attackers’ command-and-control (C&C) server.

As making the Internet safer for all is our primary goal, we hope to expand the list of IoCs by identifying connected artifacts that could put those duped by OnionPoison at great risk.

IoC List Expansion Details

Using the two domains identified as IoCs as DNS lookup search terms provided four unique IP addresses to which they resolved, namely:

• 172[.]67[.]203[.]37
• 104[.]21[.]74[.]133
• 104[.]21[.]87[.]4
• 172[.]67[.]139[.]26

Malware checks showed that one of the IP hosts—172[.]67[.]203[.]37—requires blocking, as several malware engines deemed it malicious. All of them are geolocated in the U.S. and indicated Cloudflare, Inc. as Internet service provider (ISP).

To identify additional threat artifacts, we subjected the IP addresses to reverse IP lookups that led to the discovery of at least 302 domains. One of them—disasgar[.]xyz—should particularly be avoided since it’s been dubbed a malware host. Currently, though, a screenshot lookup for it led to an error page.

Screenshot of malicious site disasgar[.]xyz

We then looked for more domains containing the string “torbrowser” via Domains & Subdomains Discovery. Our investigation uncovered 113 additional artifacts.

While only one of the additional “torbrowser” domains was dubbed “malicious” by various malware engines—torbrowser-rus[.]ru, six could pose dangers should the download buttons for the supposed Tor browser turn out to be malware-laden. These sites are torbrowser[.]in, torbrowser[.]nl, torbrowser[.]top, torbrowserpro[.]ru, torbrowserwin[.]com, and torbrowser-free[.]ru.

As the screenshots show, computers regardless of operating system (OS) could get infected. A bulk WHOIS lookup for the domains also revealed that none of them were owned by the Tor Project, given that their records don’t share “The Tor Project, Inc.” as registrant organization with the legitimate domain torproject[.]org.

Online anonymity isn’t easy to procure. In OnionPoison’s case, instead of guaranteeing one’s privacy, the tool steals precious personal data and more instead. Avoiding access to the IoCs and additional artifacts obtained via WHOIS, IP, and DNS intelligence sources featured here, however, could be a step toward DNS security.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.