How to Deanonymize Fraudulent Tor Web Servers

Although it is commonly accepted that there is not much you can do to locate remote servers hosted using the Tor network, new research reveals that it is possible to anonymize some and uses ransomware domains hosted on the Dark Web as examples.

Image: sharafmaksumov/Adobe Stock

Cybercriminals typically need to use online servers, whether to collect stolen data, communicate with an infected machine via malware, or host phishing pages. One of the common techniques used by these threat actors to attempt to add a strong layer of anonymity is to use The Onion Router (Tor) network to hide the location of their servers.

Ransomware threat actors in particular, who know they get a lot of attention and their activities are tracked and investigated by both security researchers and law enforcement, make heavy use of the Tor network. .

When used appropriately, Tor provides a fairly strong layer of anonymity, but it can also be misconfigured and leak information that can be used against fraudsters.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

It is important to note that servers hosted on the Tor network are just typical servers hosted on the Internet – users simply access them through a special network.

How to Deanonymize Fraudulent Tor Web Servers

Cisco Talos Released new search which outlines three different ways to gain more information and de-anonymize domains hosted on the Tor network and used by ransomware threat actors.

First method: matching certificates

Transport Layer Security is a protocol used for end-to-end encryption between computers on the Internet. This is typically the protocol used when establishing HTTPS communications. To do this, the web server accessed by the user needs a TLS certificate, which is provided during communication. Such a certificate contains information that can be tracked and used for investigation.

Some ransomware threat actors actually use these certificates for their websites, which helps to investigate and possibly find matches in the surface web (Figure A).

Figure A

Image: Cisco Talos. TLS certificate used by the Dark Angels ransomware malicious actor.

If a TLS certificate from a malicious actor is indexed on the surface web, it will lead to the web server that uses the Tor network so that the hosting is fully anonymized. It could also lead to other content from the same threat actor, which is also valuable for further investigation.

With the help of something like Shodan online service, which indexes information from the Internet, including TLS certificates, it becomes easier to investigate.

Second method: matching favicons

The favicon is that little icon that users see in the browser’s URL bar when browsing a website or viewing their bookmarks list (Figure B).

Figure B

TechRepublics Favicon displayed in red box on a Firefox web browser.

Again, using Shodan, it is possible to match favicons found on a fraudulent website hosted on the Tor network with favicons on the surface web.

The Quantum ransomware group is taken as an example by Talos researchers (Figure C).

Figure C

Image: Cisco Talos. Quantum ransomware group page on the Tor network – favicon visible to left of page title.

Using its dark web favicon, they found its equivalent on the surface web and were able to locate the threat actor’s web server (Figure D).

Figure D

Image: Cisco Talos. Shodan showing real Quantum ransomware web server IP address.

Method Three: Catastrophic OpSec Failures

OpSec failures can lead even the most skilled actor to leak data from their infrastructure.

Talos notes that the Nokoyawa ransomware group failed to properly secure some of its scripts, which allowed researchers to exploit a directory traversal vulnerability. Basically, it consists of using a parameter sent in the URL of an HTTP request to access a folder or file that should not normally be exposed on the Internet.

This failure, in addition to incorrect permissions for directories and files, allowed researchers to see through the threat actor’s anonymity by accessing /var/log/auth.log* directly on the server. Linux hosting web content. This file, when analyzed, revealed the IP addresses used by the attackers to connect to the server via the SSH protocol.


Investigating and collecting threat intelligence on Tor-hosted networks is a difficult task, but in many cases the Tor network does not provide 100% secure anonymity to its users. He needs a solid knowledge of the network and operating systems to use these services without making mistakes.

By using different investigative techniques, including those exposed in this article, it is possible to de-anonymize certain fraudulent servers and obtain information about the threat actor himself.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

Comments are closed.