New Reductor Malware Hijacks HTTPS Traffic

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
Content source
https://threatpost.com/new-reductor-malware-hijacks-https-traffic/148904/
Researchers have discovered a new malware strain, dubbed Reductor, that allows hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server.

Once infected, Reductor is used to spy on a victim’s browser activity, said the Global Research and Analysis Team (GReAT) at Kaspersky, which discovered the malware. Researchers said Reductor is being used for cyber espionage on diplomatic entities that are part of the post-Soviet republics known as Commonwealth of Independent States.
Click to expand...
Once a system is infected, Reductor moves on to surveil internet communications. It does this by “patching” a browser’s pseudo random number generators, used to encrypt the traffic between a user’s browser and a websites via HTTPS. In other words, instead of attempting to manipulate network packets themselves, adversaries target the Firefox and Chrome browsers and their pseudo random number generation functions.

“They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation functions in the process’s memory,” researchers wrote.

Pseudo random number generation (PRNG) is used throughout cryptography. In this case, it is used during the creation of a secure HTTPS connection between a client and server or browser and website. After a browser and website negotiate a TLS handshake the PRNG creates a random “pre-master secret” (or number) that will be used to secure the connection. The pre-master secret needs to be unpredictable for the connection to be secure.
Click to expand...
threatpost.com

New Malware Hijacks HTTPS Traffic

Dubbed Reductor, this malware can manipulate HTTPS traffic by tweaking a browser’s random numbers generator.
threatpost.com threatpost.com
 
  • Like
  • Thanks
  • Wow
Reactions: Handsome Recluse, Venustus, [correlate] and 5 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
Turla hacker group lives up to its reputation with another clever/wacky hacking technique.
A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers' internal components.
The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.
Click to expand...
www.zdnet.com

Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic

Turla hacker group lives up to its reputation with another clever/wacky hacking technique.
www.zdnet.com www.zdnet.com
 
  • Like
Reactions: Handsome Recluse, Venustus, Andy Ful and 3 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
esearchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.
The threat adds to the victim host Transport Layer Security (TLS) certificates, which help carry out man-in-the-middle (MitM) attacks on encrypted traffic.
Modifying browsers' PRNG functions
Named Reductor, the threat was spotted in a campaign at the end of April that continued at least until August. Apart from TLS traffic manipulation, it comes with the typical assortment of remote access functions - upload, download, and execute files.
The interesting part is the actor's solution to marking the encrypted traffic of interest. They studied the code in Mozilla Firefox and Google Chrome and patched their pseudo-random number generator (PRNG) functions.
The PRNG function is used in browsers to generate a random sequence of numbers at the beginning of a packet for the initial handshake, when the encrypted connection is negotiated with the server.
Reductor modifies the browsers' PRNG code to add hardware and software-based identifiers that are unique for each victim. This way, they can follow encrypted traffic from a compromised host all over the web.
Click to expand...
www.bleepingcomputer.com

Hackers Patch Web Browsers to Track Encrypted Traffic

Researchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: silversurfer, Venustus and Gandalf_The_Grey
You must log in or register to reply here.

Similar threads

LASER_oneXM
    • Like
    • +Reputation
    • Wow
WiFi protocol flaw allows attackers to hijack network traffic
Replies
0
Views
1,001
News Archive
LASER_oneXM
LASER_oneXM
[correlate]
    • Like
    • +Reputation
    • Wow
Hackers modify open-source ‘SapphireStealer’ malware, leading to multiple variants
Replies
0
Views
1,098
News Archive
[correlate]
[correlate]
silversurfer
    • Like
    • Wow
    • +Reputation
Security News 300,000 Systems Vulnerable to New Loop DoS Attack
Replies
0
Views
893
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top