Researchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim’s computer.
The threat adds to the victim host Transport Layer Security (TLS) certificates, which help carry out man-in-the-middle (MitM) attacks on encrypted traffic.
Modifying browsers’ PRNG functions
Named Reductor, the threat was spotted in a campaign at the end of April that continued at least until August. Apart from TLS traffic manipulation, it comes with the typical assortment of remote access functions – upload, download, and execute files.
The interesting part is the actor’s solution to marking the encrypted traffic of interest. They studied the code in Mozilla Firefox and Google Chrome and patched their pseudo-random number generator (PRNG) functions.
The PRNG function is used in browsers to generate a random sequence of numbers at the beginning of a packet for the initial handshake, when the encrypted connection is negotiated with the server.
Reductor modifies the browsers’ PRNG code to add hardware and software-based identifiers that are unique for each victim. This way, they can follow encrypted traffic from a compromised host all over the web.
“That places the actor in a very exclusive club, with capabilities that few other actors in the world have,” say security researchers from Kaspersky.
To maintain the pseudo-random aspect of the PRNG, Reductor uses the certificates (cert_hash) it drops on the victim’s computer that are XORed repeatedly for the first four-byte hash. The second four-byte hash is built using the hardware properties (hwid_hash) of the system – SMBIOS date and version, Video BIOS date and version and hard drive volume ID.
“The latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo random, but with the unique host ID encrypted inside.”
Reductor does not run a MitM attack itself, but the installed certificates help with this objective and replace legitimate installer with a malicious variant “on the fly.”
This theory was confirmed when the researchers found that the installers at the source were not tainted, yet the victim received a compromised version.
|Certificate SHA1 fingerprint||CA for root cert||Valid till (GMT)|
|546F7A565920AEB0021A1D05525FF0B3DF51D020||GeoTrust Rsa CA||2031.11.17 22:56:10|
|959EB6C7F45B7C5C761D5B758E65D9EF7EA20CF3||GeoTrust Rsa CA||2031.11.17 22:56:10|
|992BACE0BC815E43626D59D790CEF50907C6EA9B||VeriSign, Inc.||2031.11.17 22:56:10|
The analysis is based on the behavior of the client the researchers had no visibility into what happened on the server side.
In their investigation, Kaspersky analysts found that Reductor has “strong code similarities” with COMPfun, a trojan from 2014 that they believe is linked to the Turla APT group. This connection, though, is based only on the victimology.