Cyber espionage actors have created a malware that can mark victims’ TLS-encrypted outbound traffic with identifiers so it can be compromised and potentially decoded later. According to a new Kaspersky Lab report, the operators of the malware dubbed ‘Reductor’ have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly.
While the new strain has some RAT functions such as uploading, downloading and executing files, it is also capable of manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The analysis of the malware showed similarities in code with the COMpfun trojan, which was first documented in 2014 and believed to be created by APT group Turla, aka Venomous Bear and Uroburos. Based on this finding the researchers believe that the Reductor malware was developed by COMpfun’s creators.
A Reductor campaign targeting entities in Russia and Belarus has been operational since April 2019 and was still active as of August, the researchers said.
The Reductor malware is distributed by using two infection methods: one of them involves infecting popular software distributions (Internet Downloader Manager, WinRAR, etc.), while the second scenario takes advantage of COMpfun’s ability to download files on already compromised hosts.
The malware doesn’t carry out man-in-the-middle attacks, it infects the browser itself.
“The malware adds digital certificates from its data section to the target host and allows the operators to add additional certificates remotely through a named pipe. The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory,” the researchers said.
According to the report, “browsers use PRNG to generate the ‘client random’ sequence for the network packet at the very beginning of the TLS handshake. Reductor adds encrypted unique hardware- and software-based identifiers for the victims to this ‘client random’ field. In order to patch the system’s PRNG functions, the developers used a small embedded Intel instruction length disassembler.”
Reductor adds its own ‘victim id’ inside TLS packets which allows the bad actor to receive all information and actions performed with the browser. As per report, this ‘fingerprinting’ technique works as follows:
The first four-byte hash (cert_hash) is built using all of Reductor's digital certificates. For each of them, the hash's initial value is the X509 version number. Then they are sequentially XORed with all four-byte values from the serial number. All the counted hashes are XOR-ed with each other to build the final one. The operators know this value for every victim, because it's built using their digital certificates.
The second four-byte hash (hwid_hash) is based on the target's hardware properties: SMBIOS date and version, Video BIOS date and version and hard drive volume ID. The operators know this value for every victim because it's used for the C2 communication protocol.
The latter three fields are encrypted using the first four bytes - initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo random, but with the unique host ID encrypted inside.
“Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure. This time, if we’re right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests,” the researchers concluded.