A new malware, Reductor discovered in late April 2019 that compromises encrypted web communications in an exciting manner. It’s Evil, malicious, and dangerous, but more importantly, smart. In the following article, you will get to know better how the malware threats are increasing and a small section about risk management precautions.
Contents:
- A bigger Picture
- The Impact
- Process Infection
- Breaking web traffic encryption
- Risk chances
A bigger picture:
The malware was spotted in April this year that allows hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server.
Once infected Reductor is used to spy on a victim’s browser activity, said the Global Research and Analysis Team (GReAT) at Kaspersky. Reductor is being used for cyber espionage (the practice of spying or of using spies) on diplomatic entities. This new Reductor malware campaign targets entities and spreads when a targeted computer downloads a software distribution from third-party sources. It is also done via a decryptor/ dropper program on machines that are already infected with COMpfun. Some well-known facts of the new Reductor malware are:
- The malware has been observed to replace legitimate installers with infected ones and further decode encrypted TLS traffic.
- The infection spreads by victimizing popular software distributions such as Internet Downloader Manager and WinRAR.
- The other infection is using COMPfun malware’s ability to download files on compromised hosts.
The Impact:
Reductor had close ties to the COMpfun trojan and was documented in 2014 by the G-DATA researchers, associated suspect with Russian APT group Turla aka Venomous Bear. Turla APT group, also known as Venomous Bear, has actively performed various high profile government networks since 2004 in the Middle East, Central and Far East Asia, Europe, North and South America. The most recent wave of Reductor infections started in June 2019 and has continued to be active as of August targetting various mediums such as Downloader Manager, WinRAR.
The things that make Reductor so smart is how the attackers have managed to install the malware on targeted systems and how they have managed to prevent HTTPS protections. The malware compromises encrypted web communications impressively. Reductor is so sophisticated in its methodology that it gives the threat actors behind it “capabilities go far beyond the regular Remote Acess Trojan (RAT). This is another high impact security issue to be aware of.
Once the Reductor found its way to the victim’s device, it manipulates installed digital certificates, patching browsers’ pseudo-random number generators used to encrypt the traffic coming from the user to HTTPS websites. The attackers add unique hardware and software-based identifiers for each attack and mark them with specific numbers in a not-so-random numbers generator. And once the browser on the infected device is patched, the threat actor receives all information and actions performed with the browser.
Process of infection:
There are two different methods that Reductor is used to- first, using malicious software installer and launching it through Internet Download Manager. And the second one being- taking advantage of the already infected victim with the COMpfun Trojan and abusing browser address space to receive the trojan from the command and control server. The new Reductor malware doesn’t carry out man-in-the-middle attacks; it infects the browser itself:
- Reductor malware adds digital certificates to the target host without touching the network packet.
- The malware actors analyze browser code to patch pseudo-random number generation (PRNG) functions in the memory of the process.
- With decoding the data, the malware also remains undetected by security tools.
- Compromising random number generator and allow the attacker to know about the traffic encrypted when a TLS connection is established.
- This allows the malware to decode traffic and send relevant data to its command-and-control (C2) server.
The initial infection of malware COMpfun Trojan follows the process – One of the browsers with a COM CLSID hijacking and the host encryption being a configuration data encrypted with one byte. The Reductor dropper-decryptor follows the same browser in an auxiliary mode in a local module. The host of Reductor being in resources encrypted with on byte.
Breaking Web traffic encryption:
By extending the reach of this malware to compromise the encrypted HTTPS communication that is relied upon to ‘secure’ web traffic, the Reductor enables the attacker to spy on all information and actions carried out by the web browser. The methodology is what raises Reductor from being just another RAT (Remote Access Trojan).
Reductor performs HTTPS traffic hijacking by patching the pseudo-random number generator (PRNG), which is a part of the transport security (TLS) protocol. The interesting fact about the attack is that the web traffic itself isn’t modified at all. Reductor avoids touching network packets, which raise a red flag with security protections and instead patch the PRNG functions of your Chrome or Firefox browser in the process memory. An infected browser will alternatively add encrypted identifiers to the ‘client random’ field. By adding this victim ID in the sophisticated way that Reductor does, the bytes that build the part.
Whilst, the attacker, can patch clean software on the fly while from legitimate websites to the user’s computer. The software installs from warez websites and offers free downloads of pirated software. The Reductor’s operators have control over the target’s network channel.
By compromising the random number generator, the malware’s operators know ahead of time how the traffic will be encrypted when the victim establishes a TLS connection and can mark that traffic for later use. As the data can be decoded, the attacker has no need actually to tamper with the traffic while it is in transit and thus can function without security tools.
Risk Chances:
The level of risk in your condition depends on two things: if you are someone of interest to an attacker and your choices when downloading and installing the software. As for the malware distribution, concerning the use of pirated software sites, it is easier to mitigate against. Following are the precautions :
- Only install what you need.
- Have your software directly downloaded from the vendors, developers, or official market store.
- Have high rated antivirus protection installed that will block malicious webpages.
- Organizations dealing with high profile sensitive data shall have regular security checks.
A typical RAT functions, such as downloading, uploading and executing files, Reductor’s actors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic. Whether you are an organization or an individual entity, your job is to keep a close eye on what is being downloaded as these malware threats are carried out unknowingly.
This was all about the new Reductor malware and it further brings me back to the GoodbyeDPI. Have you read about it yet? Are you aware enough? If not, then ever wondered why we cannot access certain websites? Well, here’s everything you need to know about what causes that to happen. How some of the websites redirect us to the censorship page displaying ‘blocked.’ DPI is one such technology that is used to examine the data part of the network packets and search for protocols like viruses, spams, intrusions. For further information, get to know about how DPI works and what is GoodbyeDPI.
