Add fake Tor Browser

[iam-py-test]

URL(s) where the issue occurs

https://ru-torproject.ru/en/

Describe the issue

This website claims to be the official website for the Tor Browser, but bundles the installer with malware (it does install what appears to be the real Tor Browser).
Website: https://app.any.run/tasks/679e9afa-eb19-4414-a086-e280a779a448
File: https://tria.ge/230217-xd8nksgc9x/behavioral2 (it detected the sandbox & evaded it, but not before dropping a very suspicious file)
VT: the initial installer --> extracts this & the real Tor browser --> creates and executes C:\Users%username%\AppData\Roaming\Microsoft\xampresinquepics\ampresinquepic.exe

Screenshot(s)

Versions

• Browser/version: Firefox 110.0 (host)
• uBlock Origin version: uBlock Origin 1.47.1b0

Settings

Details

uBlock Origin: 1.47.1b0 Firefox: 110 filterset (summary): network: 223072 cosmetic: 131219 scriptlet: 21221 html: 1038 listset (total-discarded, last-updated): added: https://botnet-filter.pages.dev/botnet-filter.txt: 644-0, 5h.41m https://raw.githubusercontent.com/DandelionSprout/adfilt/master/ClearURLs%20for%20uBo/clear_urls_uboified.txt: 702-9, 5h.45m https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Dandelion%20Sprout's%20Anti-Malware%20List.txt: 31503-400, 8h.27m https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt: 2124-104, 5h.44m https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtectionTotal.txt: 1-0, 5h.51m https://raw.githubusercontent.com/LambLeeg/LambList/master/LambList.txt: 132-46, 1d.9h.23m https://raw.githubusercontent.com/ShadowWhisperer/IPs/master/Malware/Browser: 33-0, 3d.18h.57m https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/anti-redirectors.txt: 106-0, 5h.37m https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/anti-rickroll-list.txt: 845-30, 8h.26m https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/antimalware.txt: 52311-2146, 5h.39m https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/brave-clean-up.txt: 11292-9, 5h.43m https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/duckduckgo-clean-up.txt: 56443-37, 5h.36m https://raw.githubusercontent.com/iam-py-test/my_filters_001/main/personal/iam-py-test.txt: 66-13, 5h.40m https://raw.githubusercontent.com/iam-py-test/vxvault_filter/main/domains_file.txt: 255-0, 5h.38m https://raw.githubusercontent.com/iam-py-test/vxvault_filter/main/ubolist_full.txt: 1180-0, 5h.42m https://raw.githubusercontent.com/yokoffing/filterlists/main/click2load.txt: 82-0, 5d.7h.48m block-lan: 44-0, 19d.19h.5m curben-phishing: 34931-14, 5h.48m curben-pup: 193-0, 5h.47m ublock-annoyances: 4787-10, 1d.6h.5m [2 lists not shown]: [too many] default: user-filters: 148-0, never ublock-filters: 32953-66, 2d.23h.1m ublock-badware: 4342-5, 2d.23h ublock-privacy: 310-2, 7d.8h.4m ublock-abuse: 77-0, 7d.8h.3m ublock-unbreak: 1892-1, 2d.22h.59m ublock-quick-fixes: 174-0, 5h.50m easylist: 61818-985, 1d.9h.25m easyprivacy: 30968-1749, 1d.9h.24m urlhaus-1: 6050-10, 5h.49m plowe-0: 3676-12, 6d.18h.48m filterset (user): [array of 134 redacted] trustedset: added: [array of 3 redacted] switchRuleset: added: [array of 4 redacted] hostRuleset: added: [array of 783 redacted] urlRuleset: added: [array of 2 redacted] modifiedUserSettings: advancedUserEnabled: true modifiedHiddenSettings: filterAuthorMode: true updateAssetBypassBrowserCache: true supportStats: allReadyAfter: 930 ms (selfie) maxAssetCacheWait: 631 ms

Notes

I have reported this website to a security vender, and they have blocklisted it.