Rogue digital certificates and a not-so-random PRNG

A strain of malware that hijacks HTTPS traffic by manipulating browsers has been uncovered by security researchers at Kaspersky.

The so-called Reductor malware works through manipulating browsers’ “random” number generators to carry out man-in-the-middle (MitM) attacks.

The technique undermines the process of establishing encrypted communication between the user and the website.

When performed alongside the installation of rogue digital certificates it gives attackers the ability to spy on users’ browser activity.

Reductor has surfaced as part of cyber-espionage attacks on diplomatic entities in former Soviet Union countries, primarily by monitoring their employees' internet traffic.

Modules of the malware have Remote Administration Tool (RAT) functions and capabilities.

Sleight of hand

The malware is being distributed through two distinct mechanisms.

The first technique involves delivering modules through the COMPfun malware, previously attributed to the Turla, a Russian-speaking threat actor.

The second technique involves the distribution of malware via HTTP 307 Temporary Redirect requests at the ISP level.

“Reductor’s operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly,” according to Kaspersky.

Infected installers, for example tools posing as Office Activator, were downloaded from HTTPS warez websites but the files themselves were downloaded through unencrypted HTTP.

Post infection, Reductor begins manipulating installed digital certificates and patching browsers’ pseudo random number generators, or PRNGs – a technology used to generate a “client random” sequence at the beginning of a TLS handshake with HTTPS websites.

To identify victims, attackers add unique hardware-and software-based identifiers for each and mark them with certain numbers in a not-so-random numbers generator.

Once the browser on the infected device is compromised, the attackers get reports of browser activity while leaving victims blissfully unaware of anything amiss.

“We haven’t seen malware developers interacting with browser encryption in this way before” comments Kurt Baumgartner, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

“It is elegant in a way and allowed attackers to stay well under the radar for a long time.”

Involvement of nation-state backed actors in the attack is strongly suspected but unconfirmed. Kaspersky was unable to recover enough technical clues to enable any attribution.

More on the Reductor threat – together with advice on detection and mitigation – can be found in a post on Kaspersky’s Securelist.com blog.

The research was outlined during a presentation at the Virus Bulletin conference in London last week and entitled “Targeted attacks through ISPs”.

Inventive

Denis Legezo, a senior security researcher within GReAT, told The Daily Swig that developers of the malware had likely analyzed Firefox source code and Chrome binary code before working out how to patch their respective PRNG functions in the process’ memory.

“The function of the Reductor is to facilitate MitM attacks – to read encrypted communication,” Legezo said. “What they read I don’t know because I don’t see the server side. I only see the infected end-point.

“I don’t know what they are gathering but technically they could reach any encrypted communication,” he added.

“What they get from their victims I don’t know.”

Legezo said that malware developers had taken the time to study browser code in order to develop an “inventive” and well-executed attack.

Trade root

ISPs aren’t the only service providers being abused for targeted attacks. During the same presentation Kaspersky explained how a national data center in Asia was used as a similar infection vector.

“The attackers compromised the data center where the local government’s online services are hosted,” Team Kaspersky explained.

“Once inside, they not only gained access to multiple government services at once, they were also able to add malicious scripts to government websites to use them for watering hole attacks for further targeted infections.”

YOU MIGHT ALSO LIKE Domain names and DNS are being ‘weaponized’ to spread political propaganda