Russia/Turla: Kaspersky Labs has published a report outlining a new malware dubbed Reductor. This malware can infiltrate the TLS (Transport Layer Security) traffic by infecting machines with a comprised TLS engine substitute on the fly, marking infected TLS handshakes by compromising the underlining random-number generator that creates the random sequence for network traffic packets, and adding new digital certificates. By doing this, the threat actor is able to identify, intercept, and decrypt the TLS traffic from the infected computer. Kaspersky has found that this code has strong similarities to the COMPfun Trojan. Researchers believe at this time that there is a possibility that COMPfun is used as a downloader in one of the distribution schemes for Reductor. The similarities seen between the two codes give researchers reason to believe that the same authors developed both codes. COMPfun was previously linked to the Russian group Turla based on the victimology that was seen in the attacks. In this case, because of the similarity in code as well as the victimology, researchers were once again led to believe that Reductor is the work of the Turla group. Reductor has a very unique way of marking the encrypted TLS certificates by patching the browser without parsing network packets. This type of sophistication is another sign that Turla would be behind the malware. The malware did not appear to have any Man-in-the-Middle (MitM) functionalities in the samples that were analyzed. Reductor used infected installers for initial infection via HTTP downloads from Warez websites. The original files on these websites were not infected, which points to subsequent traffic manipulation.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.