Skip to main content
banner image
venafi logo

Reductor Malware Cleverly Manipulates TLS

Reductor Malware Cleverly Manipulates TLS

hands of a puppet master, pulling strings
October 15, 2019 | Guest Blogger: Kim Crawley

A lot of the time when encryption is defeated by cyber attackers, the cipher itself isn’t cracked. Rather, the cyber attacker just finds a way to bypass encryption. Newly discovered Reductor malware is an excellent example. If you use Google Chrome or Mozilla Firefox, you’re susceptible to it. If your web browser gets infected by Reductor, your HTTPS web traffic will be intercepted.

 

Why are TLS certificates so valuable on the dark web? Read the report.



Kaspersky researchers started spotting Reductor in April. It's related to the COMpFun trojan. Not only does Reductor share a lot of code with COMpFun, but it's also suspected that Reductor uses COMpFun to install its modules. There, the two malware strains are quite likely from the same cyber attackers.

 

COMpFun was first discovered by G DATA in 2014. Here’s how they described it:

 

“G DATA SecurityLabs experts discovered a new Remote Administration Tool, which we dubbed COMpfun. This RAT supports 32-bit and 64-bit Windows versions, up to the Windows 8 operating system. The features are rather common for today’s espionage tools: file management (download and upload), screenshot taking, Keylogger functionality, code execution possibility and more. It uses the HTTPS and an asymmetric encryption (RSA) to communicate with the command and control server. The big novelty is the persistence mechanism: the malware hijacks a legitimate COM object in order to be injected into the processes of the compromised system. And it is remarkable, that this hijacking action does not need administrator rights. With this RAT, Attackers could spy on an infected system for quite a long time, as this detection evasion and persistence mechanism is indeed pretty advanced!”


"The big novelty is the persistence mechanism"
 

The theory that Reductor is using the same command and control servers as COMpFun makes perfect sense. But if that’s the case then Reductor specifically targets Windows versions of Google Chrome and Mozilla Firefox. That’s still a massive user base.

 

Here’s how Reductor behaves. First, command and control servers upload Reductor to COMpFun-infected machines. The second step is especially sneaky. If the user tries to download a file from a website that distributes pirated software, Reductor patches it with malicious code. The pirated software may have had no malicious code originally, but Reductor turns it into malware.



 

Next, Reductor patches the random number generation function in web browsers that are used for TLS encryption. So instead of manipulating TLS packets directly, Reductor controls how web browsers interact with HTTPS sessions. The random number generator is designed to be used after a TLS handshake is negotiated, to create a pre-master secret that’s used in the TLS session to ensure authenticity. In order for HTTPS use to be secure, the pre-master secret must be kept unpredictable and confidential. Therefore, Reductor’s actions render TLS useless for encrypting a user’s web traffic.

 

As Kaspersky researchers explained:

 

“Browsers use PRNG (pseudo random number generator) to generate the ‘client random' sequence for the network packet at the very beginning of the TLS handshake. Reductor adds encrypted unique hardware—and software—based identifiers for the victims to this ‘client random' field. The operators know this value for every victim, because it's built using their digital certificates. Next, the threat actor receives all information and actions performed with this browser, while the victim remains unsuspecting of anything untoward."



Kaspersky suspects that the cyber attackers are from the Turla group
 

It’s a very clever way to bypass TLS encryption. I’d applaud the cyber attackers for their ingenuity, but what they’re doing is tremendously harmful. Especially considering the sensitive financial or medical data that could be sent through HTTPS.

 

Researchers have only watched Reductor from the client side, not the server side. So, we can only speculate what the cyber attackers are doing with the HTTPS packets they’re acquiring. Reductor doesn’t seem to be engaging in man-in-the-middle attacks directly with packet manipulation. But Reductor may be facilitating man-in-the-middle attacks and replacing the client random field in packet headers with the unique ID generated through the handshake with the intercepted random number generator.
 


Kaspersky suspects that the cyber attackers behind Reductor are from the Turla group, which are known to be the authors of COMpFun malware.

 

“Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure. This time, if we’re right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.”

 

It's very important to make sure that your websites and web applications implement TLS securely. It's also important to carefully protect your public key infrastructure. But sometimes successful cyber attacks on TLS web traffic are executed purely through client-side vulnerabilities. The safe but pirated software files that Reductor adds malicious code to are transmitted from pirated software distribution websites over plaintext HTTP. If we could get rid of HTTP altogether and make all web traffic use HTTPS, perhaps malware like Reductor wouldn't be so successful in rendering TLS pointless.


Learn more about machine identity protection. Explore now.
 

Related posts

 

 

 

Like this blog? We think you will love this.
image of a person holding a cell phone with the word "malware" and a warning triangle on the screen
Featured Blog

The Enigma of Xhelper

Before we get into the details, here’s what I find puzzling: nobody seems ready

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat