However, it should be noted that the de-anonymization of a victim is a hard task because the JavaScript payload is running in the context of the Tor Browser and does not have access to the real IP address or other physical characteristics of the victim machine. For example, it can do a form grabbing, scrape, hide or inject content of a visited page, display fake messages, etc. The JavaScript payload works as a standard webinject, which means that it can interact with the website content and perform specific actions. However, that is not the case here: during our research, the JavaScript payload was always the same for all pages we visited. The injected script executed in the context of every webpageĪs the criminals behind this campaign know what website the victim is currently visiting, they could serve different JavaScript payloads for different websites. The modification adds a content script ( script.js) that will be executed on load in the context of every webpage.įigure 9. Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.įurthermore, the criminals modified the HTTPS Everywhere add-on included with the browser, specifically its manifest.json file. The most important change is to the settings, which disable a digital signature check for installed Tor Browser add-ons.
Mozilla/5.0 (Windows NT 6.1 rv:77777.0) Gecko/20100101 Firefox/52.0Īll trojanized Tor Browser victims will use the same User-Agent thus it can be used as a fingerprint by the criminals to detect, on the server-side, whether the victim is using this trojanized version. In addition to the changed update settings, the criminals changed the default User-Agent to the unique hardcoded value: That’s why they disabled all kinds of updates in the settings, and even renamed the updater tool from updater.exe to updater.exe0. The criminals want to prevent victims from updating the trojanized Tor version to a newer version, because in this case it will be updated to a non-trojanized, legitimate version. The modified settings of the trojanized Tor Browser in extension-overrides.js
0 kommentar(er)
