The ESET researchers were able to trick the Atrax C&C server into sending two additional plug-ins to a test system infected with the malware. One of them was designed to steal information entered into Web forms and the other was capable of stealing passwords.
The other threat identified in July, called Agent.PTA, is part of a malware family known since 2012, the ESET researchers said. However, the Tor functionality is a new addition to it, they said.
Like Atrax, Agent.PTA has form-grabbing capabilities and its functionality can also be extended through plug-ins. The malware connects to Web control servers operated as Tor hidden services.
"This year we had already detected TOR-based botnets but during the summer we have observed a growth in the numbers of malware families starting to use TOR-based communications," the ESET researchers said. "The TOR-based botnets make it really hard to pursue investigation and C&C location tracking."
However, even if locating the real IP addresses of the C&C servers is difficult when they are only accessible from within the Tor network, analyzing the malware's communication protocols and command and control traffic is still doable, the researchers said.