Cyber espionage actors have developed a malware that can mark victims’ TLS-encrypted outbound traffic with identifiers so it can be compromised and potentially decoded later.
Dubbed Reductor, the malware appears to share similar code to the COMpfun trojan, which was first documented in 2014 and is closely associated with suspected Russian APT group Turla, aka Venomous Bear and Uroburos. For this and other reasons, the researchers at Kaspersky Lab who discovered Reductor believe Turla is likely behind this sophisticated threat.
A Reductor malware campaign targeting entities in Russia and Belarus has been operational since April 2019 and was still active as of August, according to a blog post report this week from Kaspersky’s Global Research & Analysis Team (GReAT) team.
Kaspersky found that Reductor spreads when a targeted computer downloads a software distribution from third-party sources, or via a decryptor/dropper program on machines that are already infected with COMpfun.
In instances where machines were infected during software distributions, Kaspersky determined that the third-party sites from which they were downloaded were not compromised, and the original installers were not infected. “This allowed us to confirm that Reductor’s operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly,” Kaspersky explains in its report.
In that weren’t clever enough, the actors also found what Kaspersky called a “clever” way to compromise and spy on the HTTPS communications of infected hosts without ever touching the network packets. Their solution, as it turns out, is to use an embedded Intel instruction length disassembler to install malicious patches on the victims’ Firefox or Chrome browsers, in order to sabotage their pseudo random number generation (PRNG) functions.
“Browsers use PRNG to generate the ‘client random’ sequence for the network packet at the very beginning of the TLS handshake,” Kaspersky explains. Via the malicious patching process, “Reductor adds encrypted unique hardware- and software-based identifiers for the victims to this ‘client random’ field.” These victim IDs are constructed by borrowing various values or data points from malicious digital certificates introduced by the malware, as well as the victim machine’s hardware properties.
“Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure,” the blog post concludes. “This time, if we’re right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.”