A lot of the time when encryption is defeated by cyber attackers, the cipher itself isn’t cracked. Rather, the cyber attacker just finds a way to bypass encryption. Newly discovered Reductor malware is an excellent example. If you use Google Chrome or Mozilla Firefox, you’re susceptible to it. If your web browser gets infected by Reductor, your HTTPS web traffic will be intercepted.
Kaspersky researchers started spotting Reductor in April. It's related to the COMpFun trojan. Not only does Reductor share a lot of code with COMpFun, but it's also suspected that Reductor uses COMpFun to install its modules. There, the two malware strains are quite likely from the same cyber attackers.
COMpFun was first discovered by G DATA in 2014. Here’s how they described it:
“G DATA SecurityLabs experts discovered a new Remote Administration Tool, which we dubbed COMpfun. This RAT supports 32-bit and 64-bit Windows versions, up to the Windows 8 operating system. The features are rather common for today’s espionage tools: file management (download and upload), screenshot taking, Keylogger functionality, code execution possibility and more. It uses the HTTPS and an asymmetric encryption (RSA) to communicate with the command and control server. The big novelty is the persistence mechanism: the malware hijacks a legitimate COM object in order to be injected into the processes of the compromised system. And it is remarkable, that this hijacking action does not need administrator rights. With this RAT, Attackers could spy on an infected system for quite a long time, as this detection evasion and persistence mechanism is indeed pretty advanced!”
"The big novelty is the persistence mechanism"
The theory that Reductor is using the same command and control servers as COMpFun makes perfect sense. But if that’s the case then Reductor specifically targets Windows versions of Google Chrome and Mozilla Firefox. That’s still a massive user base.
Here’s how Reductor behaves. First, command and control servers upload Reductor to COMpFun-infected machines. The second step is especially sneaky. If the user tries to download a file from a website that distributes pirated software, Reductor patches it with malicious code. The pirated software may have had no malicious code originally, but Reductor turns it into malware.
Next, Reductor patches the random number generation function in web browsers that are used for TLS encryption. So instead of manipulating TLS packets directly, Reductor controls how web browsers interact with HTTPS sessions. The random number generator is designed to be used after a TLS handshake is negotiated, to create a pre-master secret that’s used in the TLS session to ensure authenticity. In order for HTTPS use to be secure, the pre-master secret must be kept unpredictable and confidential. Therefore, Reductor’s actions render TLS useless for encrypting a user’s web traffic.
As Kaspersky researchers explained:
“Browsers use PRNG (pseudo random number generator) to generate the ‘client random' sequence for the network packet at the very beginning of the TLS handshake. Reductor adds encrypted unique hardware—and software—based identifiers for the victims to this ‘client random' field. The operators know this value for every victim, because it's built using their digital certificates. Next, the threat actor receives all information and actions performed with this browser, while the victim remains unsuspecting of anything untoward."
Kaspersky suspects that the cyber attackers are from the Turla group
It’s a very clever way to bypass TLS encryption. I’d applaud the cyber attackers for their ingenuity, but what they’re doing is tremendously harmful. Especially considering the sensitive financial or medical data that could be sent through HTTPS.
Researchers have only watched Reductor from the client side, not the server side. So, we can only speculate what the cyber attackers are doing with the HTTPS packets they’re acquiring. Reductor doesn’t seem to be engaging in man-in-the-middle attacks directly with packet manipulation. But Reductor may be facilitating man-in-the-middle attacks and replacing the client random field in packet headers with the unique ID generated through the handshake with the intercepted random number generator.
Kaspersky suspects that the cyber attackers behind Reductor are from the Turla group, which are known to be the authors of COMpFun malware.
“Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure. This time, if we’re right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.”
It's very important to make sure that your websites and web applications implement TLS securely. It's also important to carefully manage and protect your public key infrastructure. But sometimes successful cyber attacks on TLS web traffic are executed purely through client-side vulnerabilities. The safe but pirated software files that Reductor adds malicious code to are transmitted from pirated software distribution websites over plaintext HTTP. If we could get rid of HTTP altogether and make all web traffic use HTTPS, perhaps malware like Reductor wouldn't be so successful in rendering TLS pointless.