Researchers discovered last week a new Remote Administrative Tool (RAT) dubbed Reductor that is able to compromise network traffic and TLS communication. But it does so in a unique way that is not prevalent in the wild and is reserved for highly skilled operators. Once it hits the target, the malware can manipulate the digital certificates on the victim’s authorized certificates store and mark its victims’ outbound TLS connection for the purpose of what seems to be monitoring, espionage and execution of secondary stage infection.
Analysis of the malware revealed strong similarities with COMPfun trojan reported by G-DATA back in 2014. Based on the type of its victims, COMPfun was later associated with the Russian state-sponsored cyber-espionage threat group Turla—known for its high-profile targets and sophisticated self-crafted tools and rootkits.
Researchers from Kaspersky considered two potential infection scenarios. One assumes that websites that distribute popular utility software, such as WinRAR, Office Activator and Internet Downloader Manager, or “warez” (websites for cracked software) were infected and served malicious code bundled with the legitimate installers. The second assumption was that Reductor was a second stage malware on machines that were already infected with another malware.
Infection Scenario #1
Further research and additional samples contradicted the first initial assumption that legitimate distribution websites were compromised and proved that in fact the threat actors behind the attack were swapping the legitimate installers with malicious ones "on the fly.” To be able to do that, they had to have access to the victim’s network (or an ISP) and intercept HTTP traffic, which then enabled them to modify or replace a legitimate installer with a compromised one upon download over unencrypted channel.
The researchers observed that although the installers were downloaded from legitimate secure websites that were using HTTPS, the download itself took place over unencrypted HTTP.
Swapping the installers with illegitimate ones on the fly also implies either that the host was performing poor code-signing verification on files downloaded from the web, or that the attackers used compromised code-signing credentials of other victims to sign them to pass the verification.
Infection Scenario #2
The second theory remained plausible, while additional Reductor samples found on other victims’ hosts showed that they were already infected with COMPfun malware that Kaspersky associated with Turla.
Once the infected installers hit the target, the malware was able to modify the victim’s authorized certificates store and add its own root X509v3 certificates. Reductor also allows attackers to add additional certificates remotely at a later stage through a Microsoft Named Pipe.
Root certificates are used in public key cryptography to identify a Root Certificate Authority (CA) and to establish secure TLS communications between a web browser and a server. Installation of a root certificate on the compromised system gives the operators a way to degrade the host's security and enable Man-in-the-Middle (MitM) capabilities for intercepting information transmitted over TLS connections.
It's worth mentioning that no MitM functionality was observed in the malware samples, a fact that provides further support for the assumption that a traffic manipulation took place.
Root certificates used by Reductor:
Expiration date (GMT)
GeoTrust Rsa CA
GeoTrust Rsa CA
The most impressive part of the attack was the ability of Reductor operators to compromise a TLS connection without touching and parsing the network packet to mark any outbound TLS connection performed by the victim’s browser.
Through analyzing Firefox source code and Chrome binary code, the actors were able to locate the Pseudo Random Number Generation (PRNG) function and to “patch” (modify).
The PRNG function generates a random sequence that is used by the browser in the first stage of the TLS handshake. The actors modified that random sequence with host meta-data that provided indication of their victims and allowed them to monitor and track them from among various identities across a potential vast network.
The first four-byte hash was built using the Reductor’s digital certificates. The second four-byte hash is based on the target’s hardware properties, including SMBIOS date and version, Video BIOS date and version and hard drive volume ID. As a result, the bytes remain pseudo random, but giving away unique host details encrypted within.
Kaspersky’s static analysis of the Reductor binary showed strong code similarities with the COMPfun trojan family discovered in 2014. Kaspersky associates the Trojan by victomology with one of the longest-known state-sponsored cyberespionage groups Turla. The group, also referred to as Snake, Waterbug and WhiteBear, Venomous Bear, and Krypton has been active since 2004 and is known for building its custom backdoors and in-house malware.
One of the tools brought the group to the headlines was the sophisticated Uroburos/Snake rootkit reported first by G-DATA and Kaspersky (“Epic Turla”) in 2014 and infected hundreds of victims in over 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.
Similar to the Reductor case, the analysis of Uroburos/Snake showed that the threat actors most likely had access to victims’ compromised local gateways, which allowed them to intercept and modify traffic on the fly, inject malicious payloads or modify unencrypted content.
Developing such unique capabilities and TTPs (Tactics, Techniques and Procedures) for monitoring and marking a victim’s traffic seems to fit the profile of a state-sponsored group as Turla and raises many unsolved questions regarding the intent and objectives of the threat group as well as who it is after.
Most web and internet traffic depends on the TLS protocol for encryption and data integrity. TLS also provides end-to-end security for communication over networks for most large organizations around the globe. Any compromise or target of the implementation of the protocol can have strong implications for companies that rely on TLS to secure their channels.
Turla's ability to compromise TLS communication shows that the security and integrity of the protocol implementation is at risk and can be breached for various malicious intents—whether for espionage or for financial gain. Although this specific technique is currently reserved to an exclusive club, once it is demonstrated and exposed in the public domain, it has the potential to become widespread and part of the arsenal of more threat actors.
At times when TLS communication is at risk, addressing such a threat becomes more crucial than ever. Organizations that rely on TLS are required to reconsider their security controls and evaluate the effectiveness of their processes for protecting machine identity.
Protection strategies for machine identities in an organizational network must ensure that trusted digital certificates are not manipulated, and authorized stores are monitored and supervised. To do this, organizations should maintain maximum visibility of their network and properly configure their security applications, such as NGFW, with their digital certificates to enable them to alert on any modification of the trusted identities in the network. Detecting the usage of rogue certificates will increase the chance of securing the integrity of communication and tackle a potential MitM attack.
Since the attacker is known to install malicious binaries from the web, a proper code-signing process to verify the applications’ identity would also help to enhance the protection of the host and prevent the execution of illegitimate files.