Monday, November 25, 2024
HomeCyber AttackTurla APT Hackers Using New Malware to Break The TLS Encrypted Web...

Turla APT Hackers Using New Malware to Break The TLS Encrypted Web Traffic Communication

Published on

Turla APT threat actors distribute a new malware called Reductor, a successor of COMpfun to compromise the TLS encrypted web traffic and infect the targeted network.

Reductor malware has exclusive RAT functionality with the ability to such as uploading, downloading, and executing files on victims’ networks by manipulating digital certificates.

Researchers believe that the malware has strong code similarities between this family and the COMPfun malware and is linked with Turla APT.

- Advertisement - SIEM as a Service

Turla APT group also known as Venomous Bear or Waterbug which is actively performing some of the high profile cyber-attacks on various government networks since 2004 especially in the Middle East, Central and Far East Asia, Europe, North and South America.

The Reductor malware campaign started at the end of July 2019 and is using various mediums such as Downloader Manager, WinRAR, and most importantly famous pirated websites (warez) to spread the infection.

Breaking the Encrypted Web Traffic

Malware grabs the digital certificate( root X509v3 certificates) from its data section and adds to the targeted victim’s host machine. Also, with the help of named Pipe, Reductor malware operators remotely add the additional certificate.

Reductor
One of the decoded CA X509v3 certificates inside the Reductor malware

Malware developers breaking the TLS handshake without even touching the web traffic, instead, they analyze the Firefox source code and Chrome binary code to control the corresponding pseudo-random number generation (PRNG) functions.

PRNG is mainly used by browsers to generate the ‘client random’ sequence for the network packet at the very beginning of the TLS handshake.

 “In order to patch the system’s PRNG functions, the developers used a small embedded Intel instruction length disassembler. “

In this case, Reductor malware adds the encrypted hardware and software identifier to the ‘client random’ field. 

According to Kaspersky research ” The Reductor malware does not carry out a man-in-the-middle (MitM) attack itself. However, our initial thought was that the installed certificates may facilitate MitM attacks on TLS traffic; and the ‘client random’ field, with the unique ID in the handshake, would identify the traffic of interest.”

Researchers finally observed the operations with the help of telemetry data, attackers already have some control over the target’s network channel, through that they are replacing the malicious installer with a legit one.

Reductor Malware Infection and Features

Two different methods that Reductor mainly used to attack the target. In the first scenario, an attacker using the malicious software installer and launch it through Internet Download Manager, Office Activator.

In another way, the attackers taking advantage of already infected victims with the COMpfun Trojan and abusing the browser address space to receive the trojan from the command and control server.

“All C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target’s unique hardware ID encrypted with AES 128.”

There are various commands received from the C2 server to malware to perform the different operation such as download( downfile) & upload files (upfile), find the hostname, renew the digital certificate installed on the host, create a new process(execfile), delete the file path(deletefile), checking the internet connection and more.

Researchers didn’t observe any MitM attacks but as we said above, Reductor can install digital certificates and mark the targets’ TLS traffic to performing the subsequent traffic manipulation.

Indicator of Compromise

  • 27CE434AD1E240075C48A51722F8E87F
  • 4E02B1B1D32E23975F496D1D1E0EB7A6
  • 518AB503808E747C5D0DDE6BFB54B95A
  • 7911F8D717DC9D7A78D99E687A12D7AD
  • 9C7E50E7CE36C1B7D8CA2AF2082F4CD5
  • A0387665FE7E006B5233C66F6BD5BB9D
  • F6CAA1BFCCA872F0CBE2E7346B006AB4

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...