Full Report
Tor has announced Oniux, a new command-line tool for routing any Linux application securely through the Tor network for anonymized network connections. [...]
Analysis Summary
# Tool/Technique: Tor Oniux
## Overview
Tor Oniux is a new experimental tool developed by the Tor project designed to anonymize the network traffic of **any** Linux application by redirecting it through a Tor SOCKS proxy. It aims to overcome the limitations of older tools like `torsocks`, particularly the inability to handle raw system calls and static binaries.
## Technical Details
- Type: Tool (Network Anonymization Utility)
- Platform: Linux
- Capabilities: Redirects network traffic of specified applications through a Tor SOCKS proxy using Linux namespaces, providing greater isolation and coverage than `torsocks`.
- First Seen: Not explicitly stated, but described as "New and experimental."
## MITRE ATT&CK Mapping
*(Note: Since Oniux is a defensive/operational tool for anonymizing traffic, direct offensive TTP mappings are less applicable. However, its function relates to network obfuscation/tunneling, sometimes used by threat actors, or by defenders for operational security.)*
- **TA0008 - Lateral Movement** (If used to anonymize C2 or internal scanning)
- **T1572 - Protocol Tunneling** (The underlying mechanism of using Tor)
- **TA0011 - Command and Control** (If used to establish C2 over Tor)
- **T1090 - Proxy**
- **T1090.003 - Proxy: Multi-hop Proxy** (Tor is inherently a multi-hop network)
## Functionality
### Core Capabilities
* **Traffic Redirection:** Forces network connections from an arbitrary application to flow through the Tor network.
* **Namespace Utilization:** Uses Linux namespaces for superior isolation compared to `torsocks`'s `ld.so` preload hack.
* **Broad Application Support:** Works on applications performing raw system calls, unlike `torsocks`, and supports static binaries.
* **Engine:** Uses the **Arti** engine for its Tor implementation.
### Advanced Features
* **Enhanced Security against Leaks:** A malicious application cannot easily leak traffic by making raw system calls, a vulnerability present in `torsocks`.
* **Usage Examples:** Can be used to "torify" shell sessions (`oniux bash`), run specific commands over Tor (`oniux curl http://example.onion`), or run GUI applications over Tor (`oniux hexchat`).
* **Implementation Language:** Written in Rust.
## Indicators of Compromise
* File Hashes: N/A (This is a legitimate tool; IOCs would relate to its installation/execution environment if abused.)
* File Names: `oniux`
* Registry Keys: N/A (Linux tool)
* Network Indicators: Relies on established Tor infrastructure (Circuits established via the running Arti engine).
* Behavioral Indicators: Use of `cargo install` for deployment; execution patterns involving prefixing existing commands (e.g., `oniux <application>`).
## Associated Threat Actors
* The tool is primarily associated with **Tor Project Developers/Enthusiasts** for testing and operational use. (Note: Threat actors known to use standard Tor are relevant, but Oniux itself is a novel utility provided by the Tor project.)
## Detection Methods
* Signature-based detection: Detection based on the presence of the `oniux` binary if deployed outside expected operational directories, or signatures related to the Rust runtime environment if monitoring compiled binaries.
* Behavioral detection: Monitoring for processes being launched via `oniux` wrappers, indicating forced Tor traffic tunneling.
* YARA rules: Not provided in the context.
## Mitigation Strategies
* Prevention measures: For systems where anonymity is not required, monitoring for and blocking the installation of non-standard network tooling like Oniux. If Tor is necessary, ensuring only the official, hardened Tor Browser bundle or established relay software is used.
* Hardening recommendations: Since Oniux uses Linux namespaces, ensuring kernel updates are applied against any potential namespace escape vulnerabilities. For general security, discourage the use of experimental tools (`oniux` is explicitly flagged as experimental and not battle-proven) for critical operations.
## Related Tools/Techniques
* **Torsocks:** The predecessor tool that Oniux seeks to replace or improve upon, which uses an `ld.so` preload hack and does not work reliably with raw syscalls or static binaries.
* **Arti:** The Rust-based Tor engine utilized by Oniux.
* **Tor:** The underlying anonymous network protocol.