Opened 5 years ago

Closed 16 months ago

#13479 closed defect (wontfix)

Malware being served from and

Reported by: donncha Owned by:
Priority: Medium Milestone:
Component: Archived/operations Version:
Severity: Normal Keywords: trademark, violation, phishing, malware, archived-closed-2018-07-04
Cc: mrphs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Someone has set up a pretty believable copy of the site which is providing links to a binary hosted on another malicious domain

Links to this domain are being spread on some .onion forums and on Reddit. I'll update the ticket when I get some more information.

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by donncha

Owner: set to phobos
Status: newassigned

comment:2 Changed 5 years ago by mrphs

Cc: mrphs added

comment:3 Changed 5 years ago by donncha

If looked at this site a bit more and it appears to be the same person/group who was running a few months ago.

The backdoored and binaries both seem to be droppers for the following payload.

This payload looks to be the same type as the one which was hosted on jvoisin reversed and described it at In this case the malware appears to be communicated back to a C&C server listening on gbqi75ukulafpnsd.onion:24576 but I haven't investigated this fully yet.

I've reported both domains to Google's malicious website database so hopefully they will be added to the block lists soon.

comment:4 Changed 5 years ago by donncha

Summary: Probable malware being served from thetorproject.orgMalware being served from and

comment:5 Changed 5 years ago by mrphs

Reported. Thank you donncha!

Here are some additional info for the sake of having record:



PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS
Windows, Nullsoft Installer self-extracting archive

File: `torbrowser-install-3.6.6_en-US.exe_fake'
Size: 27336704
Modify: 2014-10-08 20:45:20.000000000 +0000

File: `torbrowser-install-3.6.6_en-US.exe_legit'
Size: 27301724
Modify: 2014-09-26 01:13:27.000000000 +0000

=========      3600    IN      A      3600    IN      NS      3600    IN      NS      3600    IN      NS

OriginAS:       AS32421
ASN:	        BLCC - Black Lotus Communications, US           300     IN      A           86400   IN      NS           86400   IN      NS

OrininAS:	AS45839

(second one has the same ASN as torbundlebrowser)

comment:6 Changed 5 years ago by cypherpunks

Try, try, try as fast as you can.
You’ll never catch me, I’m black sam.
I ran from the nsa and his bitch fbi too.
You’ll never catch me, not any of you.

Then came the pigs and jakey and rogey.
Who joined in the buttsex around the square.
They were all stupid and ready to eat,
But that black sam was too quick on his feet.

Try, try, try as fast as you can.
You’ll never catch me, I’m black sam.
I ran from the nsa and his bitch fbi too.
You’ll never catch me, not any of you.

comment:8 Changed 4 years ago by isis

Component: generaloperations
Owner: phobos deleted

While I'm not entirely certain what the best course of action would be for containing the spread of this malware, I am certain that phobos' account doesn't exist anymore (#15896), so I'm deleting his ownership of this ticket. Also, recomponentising as "operations" since the (only?) course of action is probably some legal/trademark measure.

comment:9 Changed 4 years ago by isis

Status: assignednew

comment:10 Changed 23 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:11 Changed 16 months ago by teor

Keywords: archived-closed-2018-07-04 added
Resolution: wontfix
Status: newclosed

Close all tickets in archived components

Note: See TracTickets for help on using tickets.