Connect with us

Hi, what are you looking for?


Malware & Threats

More Malware Authors Adopting Tor as Means of Hiding Infrastructure

Researchers at Kaspersky Lab identified more malware utilizing Tor’s anonymity capabilities to shield their command and control infrastructure.

Researchers at Kaspersky Lab identified more malware utilizing Tor’s anonymity capabilities to shield their command and control infrastructure.

Known as ChewBacca – after the character in Star Wars and the name given to one of its functions – the malware drops the function ‘P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL’  as ‘spoolsv.exe’ into the Startup folder and requests the public IP of the victim via a publicly accessible service.

Tor is dropped as ‘tor.exe’ to the user’s Temp folder and runs with a default listing on ‘localhost:9050.’

“Lately Tor has become more attractive as a service to ensure users’ anonymity,” blogged Kaspersky Lab researcher Marco Preuss. “Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure.”

Advertisement. Scroll to continue reading.

Malware Using TorThis was recently seen in a Zeus variant captured in the wild that also included functionality aimed at 64-bit systems. Other malware such as the CrimewareKit Atrax and the botnet built using the Mevade malware have been spotted using Tor as well.

Using Tor offers a level of protection that masks the location of a server. Still, there are drawbacks for attackers. For example, due to the overlay and structure, Tor is slower, Preuss explained. In addition, as seen with Mevade, a massive increase in botnet activity can affect the network and make such activity easy for researchers to spot.

“Tor is just one of many tricks in a good malware author’s – or gang’s – toolbox,” noted Richard Henderson, Security Strategist, FortiGuard Threat Research and Response Labs at Fortinet. “Tracking down command and control [C&C] can be difficult; other methods like…bouncing through C&C proxies, using [domain generation algorithms] and multiple C&C proxies, or using a P2P [peer-to-peer] C&C model…can make it difficult for researchers to track down the head of the beast in order to lop it off.”

Once running, ChewBacca logs all keystrokes to ‘system.log’, which is created by the malware in the local Temp folder. The Trojan also enumerates all running processes, reads their process memory and uses two different regular expression patterns to steal information.

Unlike Zeus, ChewBacca is currently not offered in public underground forums, according to Preuss.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...