Correlate

Level 7
A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit.
More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency.
Careful impersonation
The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians.
Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software.
Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal:
  • tor-browser[.]org
  • torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic
Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run.