Researchers have discovered a new malware strain, dubbed Reductor, that allows hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server.

Once infected, Reductor is used to spy on a victim’s browser activity, said the Global Research and Analysis Team (GReAT) at Kaspersky, which discovered the malware. Researchers said Reductor is being used for cyber espionage on diplomatic entities that are part of the post-Soviet republics known as Commonwealth of Independent States.

While unique, researchers said Reductor has close ties to the COMpfun trojan. The COMpfun malware was initially documented by researchers at G-DATA in 2014. Since then, Kaspersky has linked COMpfun to the Russian-speaking advanced persistence threat group Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros). However, Kaspersky said a direct link to Turla is unclear. The most recent wave of Reductor infections began in April 2019 and have continued through the release of Kaspersky’s research report on Thursday.

What makes Reductor so clever, researchers said, is how attackers have managed to install the malware on targeted systems and how they have managed to circumvent HTTPS protections.

Ready, Set, Attack

The first of two main attack vectors for delivering the malware to its victims is via COMpfun-infected systems pulling down and installing a version of the malware. The second attack vector occurs when targets download software from third-party sites.

“Apparently the attacker had the ability to patch clean software on the fly while it was being downloaded from legitimate websites to users’ computers,” researchers said. “The software installers came from the warez websites, which offer free downloads of pirated software. While the original installers available on those websites were not infected, they would end up on the victims’ PCs carrying malware,” Kaspersky said.

Researchers concluded that the replacement of the software installer happens on the fly and that “Reductor’s operators have some control over the target’s network channel.”

Post Infection

Once a system is infected, Reductor moves on to surveil internet communications. It does this by “patching” a browser’s pseudo random number generators, used to encrypt the traffic between a user’s browser and a websites via HTTPS. In other words, instead of attempting to manipulate network packets themselves, adversaries target the Firefox and Chrome browsers and their pseudo random number generation functions.

“They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation functions in the process’s memory,” researchers wrote.

Pseudo random number generation (PRNG) is used throughout cryptography. In this case, it is used during the creation of a secure HTTPS connection between a client and server or browser and website. After a browser and website negotiate a TLS handshake the PRNG creates a random “pre-master secret” (or number) that will be used to secure the connection. The pre-master secret needs to be unpredictable for the connection to be secure.

Making Random Predictable

This is where Reductor steps in and is able to make the unpredictable predictable.

“Browsers use PRNG to generate the ‘client random’ sequence for the network packet at the very beginning of the TLS handshake. Reductor adds encrypted unique hardware – and software – based identifiers for the victims to this ‘client random’ field,” Kaspersky researchers explain.

In order to patch (or manipulate) the targeted system’s PRNG functions, the malware developers used a small embedded Intel instruction-length disassembler as part of the attack sequence. This allows them to place a small ‘victim id’ inside TLS packets.

“The operators know this value for every victim, because it’s built using their digital certificates,” Kaspersky researchers said. Next, “the threat actor receives all information and actions performed with this browser, while the victim remains unsuspecting of anything untoward,” Kaspersky wrote.

Kurt Baumgartner, security researcher at Kaspersky, noted: “The unique ID that Reductor adds to the handshake of each TLS session could help identify the origin of the session on the wire, while adding and removing root certificates can quietly help decrypt these intercepted communications. In other words, the group is highly interested in stealth access to encrypted communication content, authentication credentials, and more generally highly sensitive information,” he said.

“In addition to maintaining persistent access, this variety of cryptography library function patching and TLS marking, and root certification access and modification, indicates a potential attempt to facilitate TLS MitM attacks,” the research added.

Baumgartner said he hasn’t seen malware developers interacting with browser encryption in this way before.

The level of sophistication demonstrated by Reductor’s creator, he said, suggests a highly professional organization, typically associated with nation-state actors. “We urge all organizations dealing with sensitive data to stay alert and have regular, thorough security checks,” Baumgartner said.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.