It has been a rough week for privacy-focused web browser Tor, or The Onion Router. Its underlying software was affected by browser malware, and cybercriminals were found to be hiding ransomware on the Tor network.

On Tuesday, the Tor mailing list reported the existence of a zero-day Firefox exploit that had been seen in the wild. While the researchers have yet to determine its exact function, they reported that the exploit had gained access to VirtualAlloc in kernel32.dll.

Fighting Fire With Firefox

Dan Guido of security firm Trail of Bits took a closer look at the code provided to the list. He found that it was a standard use-after-free exploit, not a heap overflow as some had surmised. He also discovered that it affected the scalable vector graphics (SVG) parser in Firefox. Since the Tor browser is built upon Firefox, any problem with Firefox is a problem for Tor.

“This type of exploit is much harder to write in Chrome and Edge due to memory partitioning, an exploit mitigation that Firefox lacks,” Guido said on Twitter, adding that he believed the creator wrote the exploit from scratch. Another researcher, meanwhile, noted that the payload delivered by the exploit was almost the same as the one the FBI used in 2013 to track child pornographers.

In the Tor newsletter, Roger Dingledine wrote that the Mozilla security team had located the bug and was working on a patch, which was later delivered to users. According to SecurityWeek, users can also prevent many websites from exhibiting their full functionality by disabling JavaScript.

How Browser Malware Works

Making matters more dicey, Cisco Talos researchers also noted that a new variant of Cerber ransomware was using redirections via Google and a Tor2Web proxy service to evade detection and mitigation. It did so by trying to hide the command-and-control (C&C) servers involved in the scheme.

Threatpost reported that the phishing emails designed to trigger the start of the infection process contained hyperlinks, not attachments. These links are disguised as files that would be attractive to victims, such as pictures and order details.

The specific URL to which the hyperlink resolves uses Google redirection, which redirects the victim to the malicious payload hosted on the Tor network. But how do the fraudsters get the victim onto the Dark Web without a Tor browser being present? That’s where the Tor2Web proxy service comes in.

Once fully redirected and connected, a Microsoft Word document is downloaded. It has a malicious macro attached to it that downloads the Cerber ransomware. Talos advised that organizations should block all Tor2Web and Tor traffic unless there is a specific and very important need for such services.

Ars Technica reported that Mozilla and Tor worked together to create an emergency patch for the zero-day vulnerability, but some damage may have already been done. Both episodes are black eyes for Tor. The community values its privacy, and any criminal enterprise using Tor to carry out its schemes only brings unwanted attention.