A modified version of the anonymity-preserving TOR Browser has been found to be used to target users in China.
A Chinese-language video about staying anonymous online is one of the ways the campaign reaches users. The video was the top result for the query "Tor" which means "Tor browser" in Chinese. Beneath the video, there is a link to a cloud-sharing service that hosts an installer for Tor, which is blocked in China.
After the file is executed, a working version of the browser is installed on the machine. The genuine version of the browser forgets any form data entered by the user because it has been modified so as to save browsing history and browsing history information.
The researchers say that the malicious version of the browser is only installed on machines with an internet connection in China. The computer's GUID, a unique identifying number, along with system name, current user name, and MAC address are some of the details retrieved when the second-stage software is installed on a machine.
All of this information is sent to a remote server, which can request data on the system's installed applications, browser history, and the IDs of any messaging accounts present on the computer.
The software seems to be designed to identify the user rather than steal their data. OnionPoison implants don't automatically collect user passwords, cookies or wallet. They gather data that can be used to identify the victims.
Chinese internet users are the focus of the program. The data obtained would be enough to build a comprehensive profile of a user's identity and internet usage habits, even as they browsed with software that they thought would keep them anonymous.
China's extensive internet censorship makes it hard for many users in the country to download software from a trusted source. By default, the Chinese government blocks access to a huge range of websites that might distribute information critical of the ruling Communist Party.