A new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered.


Last month, a researcher revealed that a Russia-based Tor exit node had been patching files downloaded through it with malware. By wrapping legitimate executable files with malware, the attackers increased their chances of bypassing integrity check mechanisms.

After analyzing files served through this exit node, F-Secure researchers determined that they all contained the same piece of malware, which the security firm has dubbed "OnionDuke."


OnionDuke is a malware family that had been distributed via the Tor network since at least October 2013. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.


“However, it would seem that the OnionDuke family is much older, both based on older compilation timestamps and also on the fact that some of the embedded configuration data makes reference to an apparent version number of 4 suggesting that at least three earlier versions of the family exist.”


OnionDuke is a separate family from MiniDuke, a sophisticated malware family with Russian roots that has been seen in advanced persistent threat (APT) campaigns against government organizations. However, researchers have found that the two threats are connected through their command and control (C&C) infrastructure. More precisely, some of the C&C domains used by both MiniDuke and OnionDuke were registered at around the same time by an individual using the alias (John Kasai).


The cybercriminals used the malicious Tor exit node to distribute the OnionDuke dropper contains a PE resource that appears to be an embedded GIF image file, but in reality it's a DLL file that's decrypted, written to the disk, and executed and connect to hardcoded C&C domain from where it may receive instructions to download and execute additional malicious components.


F-Secure added that there’s strong evidence to suggest OnionDuke itself has been used in targeted attacks against European government agencies, although the infection vector remains a mystery.


"Interestingly, this would suggest two very different targeting strategies. On one hand is the 'shooting a fly with a cannon' mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT operations," Lehtiö said.


The malware authors have not given up on MiniDuke and they keep improving it. An updated version of the Trojan, dubbed CosmicDuke, was discovered by F-Secure this summer.


It's never a good idea to download binaries via Tor (or anything else) without encryption. The problem with Tor is that you have no idea who is maintaining the exit node you are using and what their motives are. VPNs will encrypt your connection all the way through the Tor network, so the maintainers of Tor exit nodes will not see your traffic and can't tamper with it."

Note: The above content has been taken from: