Security researchers at Kaspersky Lab have identified a new form of malware named Reductor that manipulates the random number generator of web browsers allowing decryption of TLS traffic on the fly.
The threat actors behind the malware have not been identified, although there are similarities in the code which links it to the COMPfun Trojan, suggesting the authors of both malware variants could be one and the same. Based on victimology, COMPfun is believed to be the work of Turla APT, a hacking group with ties to Russia.
Reductor malware was first identified by Kaspersky Lab researchers in April 2019. The malware uses a never-before seen method of interacting with browser encryption – Infecting computers on-the-fly while software downloads occur via legitimate third-party (warez) websites. The malware is also being installed on computers already infected with the COMPfun Trojan. In addition to spying on web traffic, Reductor malware is capable of downloading and executing files and uploading data to its C2 servers, along with a host of other remote access functions.
What is particularly interesting is how the malware intercepts and decrypts encrypted traffic and tracks users. As part of the initial handshake, web browsers use a pseudo-random number generator (PRNG) to generate a unique number sequence for each user when negotiating an encrypted session. The malware changes the PRNG code to a malicious version on Chrome and Firefox browsers and adds unique identifiers for each victim.
While the malware does not perform man-in-the-middle (MitM) attacks, the TLS manipulation allows encrypted traffic to be identified on a user’s computer and enables MitM attacks to be performed and for victims to be tracked across the web. After infection, all traffic can be decrypted as the attackers are able to manipulate the PRNG in advance and determine how network traffic will be encrypted when a TLS connection is established.
The threat actors behind the malware appear to be solely concerned with spying on diplomatic entities within the Commonwealth of Independent States – Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
Kaspersky Lab suggests that if the malware were to be obtained by other threat groups, this method of attack could be expanded to a much wider range of targets.