Skip to main content
banner image
venafi logo

The Latest on Reductor: Turla-Associated RAT Uses Novel Method to Compromise TLS Connections to Mark and Monitor Its Victims

The Latest on Reductor: Turla-Associated RAT Uses Novel Method to Compromise TLS Connections to Mark and Monitor Its Victims

graphic of a virus slamming into a wall of ones and zeros
October 17, 2019 | Yana Blachman

Researchers discovered last week a new Remote Administrative Tool (RAT) dubbed Reductor

that is able to compromise network traffic and TLS communication. But it does so in a unique way that is not prevalent in the wild and is reserved for highly skilled operators. Once it hits the target, the malware can manipulate the digital certificates on the victim’s authorized certificates store and mark its victims’ outbound TLS connection for the purpose of what seems to be monitoring, espionage and execution of secondary stage infection.
 

Analysis of the malware revealed strong similarities with COMPfun trojan reported by G-DATA back in 2014. Based on the type of its victims, COMPfun was later associated with the Russian state-sponsored cyber-espionage threat group Turla—known for its high-profile targets and sophisticated self-crafted tools and rootkits.
 

Why are TLS certificates so valuable on the dark web? Read the research.

 

Reductor Stage 1: Infection

Researchers from Kaspersky considered two potential infection scenarios. One assumes that websites that distribute popular utility software, such as WinRAR, Office Activator and Internet Downloader Manager, or “warez” (websites for cracked software) were infected and served malicious code bundled with the legitimate installers. The second assumption was that Reductor was a second stage malware on machines that were already infected with another malware.
 

Infection Scenario #1

Further research and additional samples contradicted the first initial assumption that legitimate distribution websites were compromised and proved that in fact the threat actors behind the attack were swapping the legitimate installers with malicious ones "on the fly.” To be able to do that, they had to have access to the victim’s network (or an ISP) and intercept HTTP traffic, which then enabled them to modify or replace a legitimate installer with a compromised one upon download over unencrypted channel.

The researchers observed that although the installers were downloaded from legitimate secure websites that were using HTTPS, the download itself took place over unencrypted HTTP.

Swapping the installers with illegitimate ones on the fly also implies either that the host was performing poor code-signing verification on files downloaded from the web, or that the attackers used compromised code-signing credentials of other victims to sign them to pass the verification.
 

Infection Scenario #2

The second theory remained plausible, while additional Reductor samples found on other victims’ hosts showed that they were already infected with COMPfun malware that Kaspersky associated with Turla.


Reductor Stage 2: TLS Compromise

Once the infected installers hit the target, the malware was able to modify the victim’s authorized certificates store and add its own root X509v3 certificates. Reductor also allows attackers to add additional certificates remotely at a later stage through a Microsoft Named Pipe.

Root certificates are used in public key cryptography to identify a Root Certificate Authority (CA) and to establish secure TLS communications between a web browser and a server. Installation of a root certificate on the compromised system gives the operators a way to degrade the host's security and enable Man-in-the-Middle (MitM) capabilities for intercepting information transmitted over TLS connections.

It's worth mentioning that no MitM functionality was observed in the malware samples, a fact that provides further support for the assumption that a traffic manipulation took place.
 

Root certificates used by Reductor:

SHA1

CA

Expiration date (GMT)

119B2BE9C17D8C7C5AB0FA1A17AAF69082BAB21D

ie-paypal

2031.11.17 22:56:10

546F7A565920AEB0021A1D05525FF0B3DF51D020

GeoTrust Rsa CA

2031.11.17 22:56:10

959EB6C7F45B7C5C761D5B758E65D9EF7EA20CF3

GeoTrust Rsa CA

2031.11.17 22:56:10

992BACE0BC815E43626D59D790CEF50907C6EA9B

VeriSign, Inc.

2031.11.17 22:56:10

 

Reductor Stage 3: Monitoring

The most impressive part of the attack was the ability of Reductor operators to compromise a TLS connection without touching and parsing the network packet to mark any outbound TLS connection performed by the victim’s browser.

Through analyzing Firefox source code and Chrome binary code, the actors were able to locate the Pseudo Random Number Generation (PRNG) function and to “patch” (modify).

The PRNG function generates a random sequence that is used by the browser in the first stage of the TLS handshake. The actors modified that random sequence with host meta-data that provided indication of their victims and allowed them to monitor and track them from among various identities across a potential vast network.

The first four-byte hash was built using the Reductor’s digital certificates. The second four-byte hash is based on the target’s hardware properties, including SMBIOS date and version, Video BIOS date and version and hard drive volume ID. As a result, the bytes remain pseudo random, but giving away unique host details encrypted within.


Reductor Stage 4: Attribution

Kaspersky’s static analysis of the Reductor binary showed strong code similarities with the COMPfun trojan family discovered in 2014. Kaspersky associates the Trojan by victomology with one of the longest-known state-sponsored cyberespionage groups Turla. The group, also referred to as Snake, Waterbug and WhiteBear, Venomous Bear, and Krypton has been active since 2004 and is known for building its custom backdoors and in-house malware.

One of the tools brought the group to the headlines was the sophisticated Uroburos/Snake rootkit reported first by G-DATA and Kaspersky (“Epic Turla”) in 2014 and infected hundreds of victims in over 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.  

Similar to the Reductor case, the analysis of Uroburos/Snake showed that the threat actors most likely had access to victims’ compromised local gateways, which allowed them to intercept and modify traffic on the fly, inject malicious payloads or modify unencrypted content.

Developing such unique capabilities and TTPs (Tactics, Techniques and Procedures) for monitoring and marking a victim’s traffic seems to fit the profile of a state-sponsored group as Turla and raises many unsolved questions regarding the intent and objectives of the threat group as well as who it is after.

 

TLS and Machine Identity Protection

Most web and internet traffic depends on the TLS protocol for encryption and data integrity. TLS also provides end-to-end security for communication over networks for most large organizations around the globe. Any compromise or target of the implementation of the protocol can have strong implications for companies that rely on TLS to secure their channels.

Turla's ability to compromise TLS communication shows that the security and integrity of the protocol implementation is at risk and can be breached for various malicious intents—whether for espionage or for financial gain. Although this specific technique is currently reserved to an exclusive club, once it is demonstrated and exposed in the public domain, it has the potential to become widespread and part of the arsenal of more threat actors.

At times when TLS communication is at risk, addressing such a threat becomes more crucial than ever. Organizations that rely on TLS are required to reconsider their security controls and evaluate the effectiveness of their processes for protecting machine identity.

Protection strategies for machine identities in an organizational network must ensure that trusted digital certificates are not manipulated, and authorized stores are monitored and supervised. To do this, organizations should maintain maximum visibility of their network and properly configure their security applications, such as NGFW, with their digital certificates to enable them to alert on any modification of the trusted identities in the network. Detecting the usage of rogue certificates will increase the chance of securing the integrity of communication and tackle a potential MitM attack.
 

Since the attacker is known to install malicious binaries from the web, a proper code-signing process to verify the applications’ identity would also help to enhance the protection of the host and prevent the execution of illegitimate files.


Learn more about machine identity protection. Explore now.
 

Related posts

 

 

Like this blog? We think you will love this.
graphic image of an electrically lit tunnel, apparent from the inside but invisible from the outside
Featured Blog

The Fight over DNS over HTTPS

DoH, Browsers and ISPs

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Yana Blachman
Yana Blachman

Yana is Threat Intelligence Specialist at Venafi and has worked in the field over the last 7 years. Yana’s expertise includes tactical and operational threat analysis, threat hunting, and Dark Web intelligence.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat