The cybercriminal group Turla (also known as Venomous Bear or Waterbug) distributes new malware called Reductor and with its help, intercepts encrypted TLS traffic and infects the target network.
According to the researchers, there is a resemblance between Reductor and the previously discovered COMPfun Trojan, in particular common creator. According to experts, the COMPfun Trojan, allegedly developed by Turla, is used as a bootloader.Attackers use two different methods to distribute Reductor. In the first version, they use infected software installers with built-in 32-bit and 64-bit versions of Reductor. Such popular programs as Internet Download Manager, WinRAR, pirated sites, etc can represent these installers.
In the second scenario, targets are already infected by the COMpfun Trojan, which uses the COM CLSID attribute to achieve persistence on the system. Having accessed the address bar of the browser, the trojan can execute a command to download additional modules from the C&C server, including the Reductor dropper / decoder.
Read also: Apple Releases 4 Security Bulletins in 8 Days and Closed Gaps on All Platforms
The malware adds digital certificates from its partition to the target host and allows operators to add additional certificates remotely through the named pipe.
Malicious authors break the TLS handshake without intercepting Internet traffic. Instead, they analyze the source code of Mozilla Firefox browsers and the Google Chrome binary code to fix the corresponding pseudo random number generation (PRNG) functions in the process memory.
Browsers use the PRNG to generate a “random client” sequence for the network packet at the very beginning of the TLS handshake. Reductor adds encrypted unique hardware and software identifiers for victims in the “random client” field. To correct the functions of the PRNG system, the developers used a small built-in disassembler of the instruction length from Intel.
“Malicious software does not carry out a MitM attack. However, we initially believed that the installed certificates could facilitate MitM attacks on TLS traffic, and the random client field with a unique identifier in the handshake would identify the traffic of interest. Further analysis confirmed our guesses”, – report the researchers.
According to telemetry, the attackers already had some control over the victim’s network channel, thanks to which they replaced legitimate installer with a the malicious one.
“All messages from the C&C server are processed in a separate stream. The reducer sends HTTP POST requests with a unique identifier of the target equipment, encrypted using AES 128, to the /query.php scripts on the C&C server specified in its configuration”, – the researchers explain.
The malicious program receives commands from the C&C server to perform various operations, which include downloading files, searching for the host name, updating the installed digital certificate, creating a new process, deleting the file path, checking the Internet connection, etc.
A named pipe is a method of interprocess communication, an extension of the concept of a pipeline in Unix and similar OSs. A named pipe allows various processes to exchange data, even if the programs running in these processes were not originally written to interact with other programs.
One Comment