Researchers at Kaspersky have discovered malware hidden in a modified model of the anonymity-preserving Tor Browser, distributed in a approach that particularly targets customers in China.

According to details published in a blog post on Tuesday, the malware marketing campaign reaches unsuspecting customers via a Chinese-language YouTube video about staying nameless on-line. During the analysis interval, the video was the highest consequence for the YouTube question “Tor浏览器,” which interprets to “Tor browser” in Chinese. Beneath the video, one URL hyperlinks to the official Tor web site (which is blocked in China); one other offers a hyperlink to a cloud-sharing service that hosts an installer for Tor, modified to incorporate malicious code.

Once the file is executed, it installs a working model of Tor Browser on the consumer’s machine. But the browser has been modified in order to avoid wasting particulars of shopping historical past and any type knowledge entered by the consumer, which the real model of Tor Browser forgets by default.

Even extra regarding, the malicious model of the browser additionally makes an attempt to obtain an extra malware payload from a distant server, which the researchers say is just put in on machines with an IP handle situated in China. When the second-stage malware is put in on a goal machine, it retrieves particulars like the pc’s GUID — a novel figuring out quantity — together with system identify, present consumer identify, and MAC handle (which identifies the machine on a community).

All of this info is shipped to a distant server, and based on Kaspersky’s evaluation, this server may also request knowledge on the system’s put in purposes, browser historical past — together with the pretend Tor Browser — and the IDs of any WeChat and QQ messaging accounts current on the pc.

Notably, the malware appears designed to determine the consumer fairly than steal knowledge that may very well be offered for revenue. “Unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets,” Kaspersky researchers observe. “Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks.”

The result’s a robust and complete surveillance program focused particularly at Chinese web customers. Together, the information obtained could be sufficient to construct a complete profile of a consumer’s identification and web utilization habits, at the same time as they browsed with software program that they believed would hold them nameless.

The greatest safety towards this sort of assault is to obtain software program solely from a trusted supply — on this case, the official Tor Project portal — however China’s in depth web censorship makes this troublesome for a lot of customers within the nation. By default, the Chinese authorities blocks entry to an enormous vary of internet sites that may distribute info vital of the ruling Communist Party, together with primary purposes like Twitter, Instagram, and Gmail.