Threat Watch

New Reductor Malware Tentatively Linked to Turla

Russia/Turla: Kaspersky Labs has published a report outlining a new malware dubbed Reductor. This malware can infiltrate the TLS (Transport Layer Security) traffic by infecting machines with a comprised TLS engine substitute on the fly, marking infected TLS handshakes by compromising the underlining random-number generator that creates the random sequence for network traffic packets, and adding new digital certificates. By doing this, the threat actor is able to identify, intercept, and decrypt the TLS traffic from the infected computer. Kaspersky has found that this code has strong similarities to the COMPfun Trojan. Researchers believe at this time that there is a possibility that COMPfun is used as a downloader in one of the distribution schemes for Reductor. The similarities seen between the two codes give researchers reason to believe that the same authors developed both codes. COMPfun was previously linked to the Russian group Turla based on the victimology that was seen in the attacks. In this case, because of the similarity in code as well as the victimology, researchers were once again led to believe that Reductor is the work of the Turla group. Reductor has a very unique way of marking the encrypted TLS certificates by patching the browser without parsing network packets. This type of sophistication is another sign that Turla would be behind the malware. The malware did not appear to have any Man-in-the-Middle (MitM) functionalities in the samples that were analyzed. Reductor used infected installers for initial infection via HTTP downloads from Warez websites. The original files on these websites were not infected, which points to subsequent traffic manipulation.


The link between Turla and Reductor is very thin at this point, but the entire operation is likely being run by Russia. People must use Transport Layer Security (TLS) to encrypt all communication over the internet. In a typical situation, users would be able look for the “lock” icon in their browser’s visual cues to verify that their connection is encrypted. However, if malware such as Reductor is installed on a computer, even encrypted communications are at risk of interception and decryption because the attacker is controlling the encryption keys and can force the computer to use keys that the attacker possesses. It is recommended that companies adopt a defense-in-depth approach to security, which includes up-to-date anti-virus software, network segmentation, firewalls that control both inbound and outbound communication, sufficient event logging, and 24×7 detection and monitoring by a security operations center, either staffed internally or managed by a security provider such as Binary Defense.