Monday, October 21, 2019

New malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic.

   The vast majority of websites these days have Hypertext Transfer Protocol Secure (HTTPS) enabled, adding a layer of security that protects our communications against eavesdropping and tampering. It is encrypted using Transport Layer Security (TLS), the current standard for secure web communication. Like all protocols, it is not immune to attack. Some of the more infamous malware that impacts TLS (or its predecessor Secure Sockets Layer [SSL]) are FREAK, Logjam, POODLE, and Heartbleed.

   More recently, researchers from Kaspersky's Global Research and Analysis Team (GReAT) discovered a malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic. Dubbed Reductor, it appears to be related to the COMPfun trojan discovered in 2014, which provides one of its infection vectors. Servers that that are infected with COMPfun can be used to download and install Reductor. Reductor is also delivered through software downloads from untrustworthy sites. 

   Once installed, the malware patches Firefox® and Chrome web browsers to snoop on the victim's encrypted traffic. It modifies the target's TLS certificate and gives the attacker remote access to manipulate and execute files. What really sets Reductor apart is the way that it patches the code for pseudorandom number generator functions (PRNG). This function adds random numbers to the packet at the beginning of the TLS handshake. Reductor is able to use the PRNG code to inject victim-specific identifiers, allowing the attacker to track the victim's traffic wherever it goes. 

   GReAT believes Reductor comes from a hacker group operating under the protection of the Russian government and may be linked to the Advanced Persistent Thread (APT) group Turla, however there is no concrete evidence to support a Turla connection. There are similarities both with the COMPfun code and in the affected victims, where "cyber-espionage on diplomatic entities" appears to be a primary objective.