Kaspersky warns of encryption-busting Reductor malware
Infection manipulates browsers to snoop on TLS comms
Kaspersky says it has uncovered a new malware infection that is able to decode encrypted TLS traffic without the need to intercept or manipulate it.
Known as Reductor, the malware was spotted in April of this year and is believed to be the work of an espionage-focused hacking crew known as Turla. The malware is thought to be connected to an earlier trojan called 'COMpFun'.
What makes Reductor unique, says Kaspersky's team, is its ability to manipulate TLS certificates. This, in turn allows the infection to present other malware installers as legitimate software.
"Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers," Kaspersky explains.
"Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts."
Rather than try to man-in-the middle traffic or steal keys, the Kaspersky team found that the Reductor malware works by infecting the browser (either Chrome or Firefox) itself.
"The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part," Kaspersky explained.
"They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory."
By compromising the random number generator, the malware's operators would know ahead of time how the traffic will be encrypted when the victim establishes a TLS connection, and have the ability to mark that traffic for later use. From there, the malware can easily decode the traffic and see what the transmitted data is, then send anything of interest back to the command server.
Header aches in Firefox, Tor, Brave and Chrome as HTTP opens new security holesREAD MORE
Because this data can be decoded, the attacker has no need to actually tamper with the traffic while it is in transit, and thus is able to function without alerting security tools or administrators that something is amiss.
"We haven’t seen malware developers interacting with browser encryption in this way before,”Kaspersky’s Global Research and Analysis Team member Kurt Baumgartner said of the malware.
"It is elegant in a way and allowed attackers to stay well under the radar for a long time. The level of sophistication of the attack method suggests that the creators of Reductor malware are highly professional, which is quite common among nation-state backed actors."
Fortunately, for now the tactic appears to be limited to the highly-targeted espionage operations of this specific group. Should the components make their way onto other malware packages, however, they could pose a danger to the larger internet. ®