How to de-anonymize fraudulent Tor web servers

While it is not uncommon perception that there’s not a lot that may be performed to find distant servers hosted utilizing the Tor community, a brand new analysis reveals it’s doable to de-anonymize some and makes use of ransomware domains hosted on the Dark Web as examples.

Tor browser on a display of PC with logo in a form of onion.
Image: sharafmaksumov/Adobe Stock

Cybercriminals usually want to use on-line servers, be it to acquire stolen information, talk with an contaminated machine by way of malware or host phishing pages. One of the widespread methods utilized by these menace actors to attempt to add a powerful layer of anonymity consists of utilizing The Onion Router (Tor) community to cover the placement of their servers.

Ransomware menace actors particularly, who know they appeal to numerous consideration and that their actions are tracked and investigated by each safety researchers and regulation enforcement companies, make a heavy use of the Tor community.

When used appropriately, Tor offers a reasonably sturdy layer of anonymity, but it surely will also be badly configured and leak info that can be utilized towards fraudsters.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

It is essential to word that servers hosted on the Tor community are simply typical servers hosted on the Internet — customers are merely accessing them by way of a particular community.

How to de-anonymize fraudulent Tor web servers

Cisco Talos revealed new analysis that exposes three alternative ways to get extra info and de-anonymize domains hosted on the Tor community and utilized by ransomware menace actors.

First methodology: Certificate matching

Transport Layer Security is a protocol used for end-to-end encryption between computer systems on the Internet. Typically, it’s the protocol used when establishing HTTPS communications. To accomplish that, the web server the person accesses wants a TLS certificates, which is supplied when speaking. Such a certificates incorporates some info that may be tracked and used to examine.

Some ransomware menace actors truly use these certificates for his or her web sites, making it doable to examine and presumably discover matches within the floor web (Figure A).

Figure A

Image: Cisco Talos. TLS certificates utilized by the Dark Angels ransomware menace actor.

If a TLS certificates from a menace actor is listed on the floor web, it should lead to the web server that’s utilizing the Tor community so the internet hosting is absolutely de-anonymized. It may also lead to different content material from the identical menace actor, which can be precious for additional investigation.

With the assistance of one thing just like the Shodan on-line service, which indexes info from the Internet, together with TLS certificates, it turns into simpler to examine.

Second methodology: Favicon matching

The favicon is that tiny icon that customers see within the browser’s URL bar when shopping a web site or their bookmarks record (Figure B).

Figure B

TechRepublics Favicon proven within the crimson field on a Firefox web browser.

Once once more, utilizing Shodan, it’s doable to match favicons discovered on a fraudulent web site hosted on the Tor community with favicons on the floor web.

The Quantum ransomware group is taken for instance by Talos researchers (Figure C).

Figure C

Image: Cisco Talos. Quantum ransomware group web page on the Tor community – favicon seen on the left of the web page title.

Using its favicon from the darkish web, they discovered its equal on the floor web and will find the menace actor’s web server (Figure D).

Figure D

Image: Cisco Talos. Shodan exhibiting the actual IP handle of the Quantum ransomware web server.

Third methodology: Catastrophic OpSec failures

OpSec failures can lead even essentially the most expert actor to leak information from its infrastructure.

Talos notes that the Nokoyawa ransomware group didn’t safe a few of its scripts correctly, which allowed the researchers to exploit a listing traversal vulnerability. Basically, this consists of utilizing a parameter despatched within the URL of a HTTP request to acquire entry to a folder or file that ought to usually not be uncovered on the Internet.

That failure, as well as to improper listing and information permissions, allowed the researchers to see by means of the anonymity of the menace actor by accessing /var/log/auth.log* immediately on the Linux server internet hosting the web content material. That file, as soon as analyzed, revealed IP addresses utilized by the attackers to join to the server by way of the SSH protocol.


Investigating and amassing menace intelligence on Tor-hosted networks is a troublesome process, but in lots of circumstances the Tor community doesn’t present 100% safe anonymity to its customers. It wants a powerful community and working programs information to use these providers with out making any errors.

By utilizing totally different investigative methods, together with these uncovered on this article, it’s doable to de-anonymize some fraudulent servers and procure details about the menace actor itself.

Disclosure: I work for Trend Micro, however the views expressed on this article are mine.


Leave a Reply

Your email address will not be published.Required fields are marked *