Warning over Reductor malware that manipulates browsers' random number generator to hijack HTTPS traffic
Reductor malware can also replace legitimate installers from third-party websites with infected ones on-the-fly, claims Kaspersky
Researchers at Kaspersky have discovered new malware that, they claims, can decode encrypted TLS traffic on-the-fly without having to intercept it.
The Reductor malware was first spotted in April this year by researchers at Kaspersky, who suggested it could be the work of Russian-linked Turla APT (also known as Venomous Bear, Snake, Uroboros and Waterbug).
Researchers also believe that Reductor could be linked to an earlier Trojan called "COMpFun", which was first document in 2014 by the researchers at G-DATA, and also linked to Turla.
According to the researchers, adversaries deliver Reductor malware to a target system via two main attack vectors. The first is through COMpfun-infected computers, in which a new version of the malware is installed. The second attack vector occurs when a target system downloads software from third-party websites.
The researchers noticed that the attackers were able to infect PC on-the-fly while software was being downloaded to users ' computers from a legitimate third-party website.
We haven ' t seen malware developers interacting with browser encryption in this way before
"The software installers came from the warez websites, which offer free downloads of pirated software. While the original installers available on those websites were not infected, they would end up on the victims' PCs carrying malware," Kaspersky researchers said.
After infecting the system, Reductor can be used to spy on the browser activity of a victim. It does so by 'patching' a browser ' s pseudo random number generators, which is used to ensure a secure and private connection between the client and server (via HTTPS).
Researchers observed that instead of manipulating network packets themselves, hackers targeted the Chrome and Firefox browsers and manipulated their pseudo random number generation functions.
That enabled the malware operators to decode and hijack the traffic over HTTPS, as they knew ahead of time how the network traffic would be encrypted when the victim establishes a TLS connection.
"We haven ' t seen malware developers interacting with browser encryption in this way before," Kurt Baumgartner, a member of Kaspersky ' s Global Research and Analysis Team said.
"It is elegant in a way and allowed attackers to stay well under the radar for a long time," he added.
According to the researchers, the malware has largely been used to spy on diplomatic entities within the Commonwealth of Independent States, a group of post-Soviet republics.
However, it could also pose a big threat to the larger internet community should the components of Reductor fall into the hands of other malware operators, they warned.