Reductor malware hijacks HTTPS traffic
Researchers from Kaspersky have discovered new malware called Recuctor that hijacks victims’ interactions with HTTPS Web pages.
It does this via patching the pseudo random number generator (PRNG), or the algorithm that employs mathematical formulas to produce sequences of random numbers. PRNG is used in the process of establishing an encrypted communication between a user and a Web site.
Over and above the installation of rogue digital certificates, it enables the attackers to see users’ browser activity.
Although the 'S' in HTTPS stands for 'secure' and is supposed to ensure that information exchanged between a browser and a Web site is not accessible to third parties, there are still many ways for a skilled threat actor to interfere in this process.
Reductor malware was developed specifically for this type of intrusion and has already been used for cyber-espionage on diplomatic entities in CIS countries, primarily by monitoring their employees' Internet traffic. In addition, the modules discovered had RAT (remote administration tool) functions and the capabilities of this malware are practically unlimited.
According to the researchers, Reductor distributors used two main attack vectors, one of which consisted of having modules downloaded through COMPfun malware, previously attributed to the Turla Russian-speaking threat actor.
The other vector is more complicated. It appears the attacker is able to patch clean software on the fly while it is being downloaded from legitimate Web sites to users’ computers.
The software installers were downloaded from warez Web sites which offer free downloads of pirated software. While the original installers available on these Web sites were not infected, they would end up on the victims’ PCs carrying malware. The researchers concluded that replacement happens on the fly and that Reductor’s operators have some control over the target’s network channel.
Once Reductor has established itself on the victim’s device, it can manipulate installed digital certificates, patching browsers’ PRNG used to encrypt the traffic coming from the user to HTTPS Web sites. To identify victims whose traffic is hijacked, the attackers would add unique hardware- and software-based identifiers for each of them and mark them with certain numbers in a not-so-random-anymore numbers generator. Once the browser on the infected device is patched, the attacker receives all information and actions performed through the browser in question, while the victim remains unaware that anything untoward is going on.
Kurt Baumgartner, a security researcher at Kaspersky’s Global Research and Analysis Team, says: “We haven’t seen malware developers interacting with browser encryption in this way before. It is elegant in a way and allowed attackers to stay well under the radar for a long time."
The level of sophistication of the attack method suggests that the creators of Reductor malware are highly professional, which is quite common among nation-state backed actors, he adds.
"However, we weren’t able to find solid technical clues which would attach this malware to any known threat actor. We urge all organisations dealing with sensitive data to stay alert and have regular, thorough security checks.”