- A new malware dubbed Reductor that can compromise encrypted TLS traffic has been observed by security researchers.
- Apart from performing trojan functions, the malware can manipulate digital traffic and mark outbound TLS traffic with unique identifiers.
The big picture
Reductor is a new malware strain documented by researchers at Kaspersky Lab.
- The malware has been observed to replace legitimate installers with infected ones and decode encrypted TLS traffic.
- It spreads by infecting popular software distributions such as Internet Downloader Manager and WinRAR. Another infection method is using COMPfun malware’s ability to download files on compromised hosts.
The malware doesn’t carry out man-in-the-middle attacks, it infects the browser itself.
- The Reductor malware adds digital certificates to the target host without touching the network packets.
- The malware authors analyzed browser code to patch pseudo-random number generation (PRNG) functions in the memory of the processes.
- By decoding the data, the malware remains undetected by administrators or security tools.
- Compromising the random number generator allows the attacker to know how traffic will be encrypted when a TLS connection is established.
- This allows the malware to decode traffic and send relevant data to its command-and-control (C2) server.
Because of the similarities this malware shares with the COMPfun malware, there is a possibility that Turla is the responsible threat actor.
“The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors,” says the research.
According to researchers, victims of this campaign align with that of Turla threat group’s interests.