New Reductor Malware Hijacks HTTPS Traffic

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
Aug 17, 2014
12,729
123,837
8,399
Content source
https://threatpost.com/new-reductor-malware-hijacks-https-traffic/148904/
Researchers have discovered a new malware strain, dubbed Reductor, that allows hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server.

Once infected, Reductor is used to spy on a victim’s browser activity, said the Global Research and Analysis Team (GReAT) at Kaspersky, which discovered the malware. Researchers said Reductor is being used for cyber espionage on diplomatic entities that are part of the post-Soviet republics known as Commonwealth of Independent States.
Click to expand...
Once a system is infected, Reductor moves on to surveil internet communications. It does this by “patching” a browser’s pseudo random number generators, used to encrypt the traffic between a user’s browser and a websites via HTTPS. In other words, instead of attempting to manipulate network packets themselves, adversaries target the Firefox and Chrome browsers and their pseudo random number generation functions.

“They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation functions in the process’s memory,” researchers wrote.

Pseudo random number generation (PRNG) is used throughout cryptography. In this case, it is used during the creation of a secure HTTPS connection between a client and server or browser and website. After a browser and website negotiate a TLS handshake the PRNG creates a random “pre-master secret” (or number) that will be used to secure the connection. The pre-master secret needs to be unpredictable for the connection to be secure.
Click to expand...
threatpost.com

New Malware Hijacks HTTPS Traffic

Dubbed Reductor, this malware can manipulate HTTPS traffic by tweaking a browser’s random numbers generator.
threatpost.com threatpost.com
 
  • Like
  • Thanks
  • Wow
Reactions: Handsome Recluse, Venustus, [correlate] and 5 others
Turla hacker group lives up to its reputation with another clever/wacky hacking technique.
A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers' internal components.
The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.
Click to expand...
www.zdnet.com

Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic

Turla hacker group lives up to its reputation with another clever/wacky hacking technique.
www.zdnet.com www.zdnet.com
 
  • Like
Reactions: Handsome Recluse, Venustus, Andy Ful and 3 others
esearchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.
The threat adds to the victim host Transport Layer Security (TLS) certificates, which help carry out man-in-the-middle (MitM) attacks on encrypted traffic.
Modifying browsers' PRNG functions
Named Reductor, the threat was spotted in a campaign at the end of April that continued at least until August. Apart from TLS traffic manipulation, it comes with the typical assortment of remote access functions - upload, download, and execute files.
The interesting part is the actor's solution to marking the encrypted traffic of interest. They studied the code in Mozilla Firefox and Google Chrome and patched their pseudo-random number generator (PRNG) functions.
The PRNG function is used in browsers to generate a random sequence of numbers at the beginning of a packet for the initial handshake, when the encrypted connection is negotiated with the server.
Reductor modifies the browsers' PRNG code to add hardware and software-based identifiers that are unique for each victim. This way, they can follow encrypted traffic from a compromised host all over the web.
Click to expand...
www.bleepingcomputer.com

Hackers Patch Web Browsers to Track Encrypted Traffic

Researchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: silversurfer, Venustus and Gandalf_The_Grey
You must log in or register to reply here.

You may also like...