How does malware utilize tor?

jasper · March 30, 2021, 6:42am

So, there is quite a lot of malware nowadays that use the tor network to communicate with c2 servers.
From what I see is they host their c2 server under a .onion domain and then they hardcode tor “proxies” into the malware which is uses to connect to which will then allow it to send data back to the c2 server.

Now when I asked people about how they get the “proxies” I was told they are not really proxies but that is what they look like

As you can see to me these look like proxies, now I know the tor project themselves every 20minutes has a page that auto updates of the latest tor exit nodes but my question is how are they getting the port number so they can route traffic through them too?

Now I was able to speak to someone once who made malware that used this and they simply said to me “They are free online, anyone can incorporate this into their malware” but he would not tell me where people get them from x_x

Anyone got any ideas at all?

verking · April 1, 2021, 9:33pm

I’m not sure about this particular variant you are showing so any more information is helpful.

What you are probably talking about are “tor2web” proxies, GitHub - tor2web/Tor2web: Tor2web is an HTTP proxy software that enables access to Tor Hidden Services by mean of common web browsers . These proxies are specifically converting clearweb traffic to tor traffic without having to install additional Tor related binaries. So when your friend said they are free, you can lookup the software I mentioned above and find a couple of Tor2Web sites that will forward traffic onto a Tor website.

It doesn’t look like it in your example but Tor binaries are also included in some malware so that they can funnel all the traffic to Tor but this tends to have a lot of downsides. Resilient Botnet Command and Control with Tor by Dennis Brown (Defcon July 2010) made a pretty good presentation that is still relevant if you are curious for more.

jasper · April 6, 2021, 10:19am

An Update for a Very Active DDos Botnet: Moobot I was mainly referring to a specific piece of malware although since I first read about this piece alot more have come out using the same technique.
They dont have tor binaries they have proxies hardcoded into the malware itself which they use and then when they spread newer version of the malware they update the proxies.

jasper · April 12, 2021, 12:14pm

BUMP! I am still needing to find this out.