Turla APT threat actors distribute a new malware called Reductor, a successor of COMpfun to compromise the TLS encrypted web traffic and infect the targeted network.
Reductor malware has exclusive RAT functionality with the ability to such as uploading, downloading, and executing files on victims’ networks by manipulating digital certificates.
Researchers believe that the malware has strong code similarities between this family and the COMPfun malware and is linked with Turla APT.
Turla APT group also known as Venomous Bear or Waterbug which is actively performing some of the high profile cyber-attacks on various government networks since 2004 especially in the Middle East, Central and Far East Asia, Europe, North and South America.
The Reductor malware campaign started at the end of July 2019 and is using various mediums such as Downloader Manager, WinRAR, and most importantly famous pirated websites (warez) to spread the infection.
Breaking the Encrypted Web Traffic
Malware grabs the digital certificate( root X509v3 certificates) from its data section and adds to the targeted victim’s host machine. Also, with the help of named Pipe, Reductor malware operators remotely add the additional certificate.
Malware developers breaking the TLS handshake without even touching the web traffic, instead, they analyze the Firefox source code and Chrome binary code to control the corresponding pseudo-random number generation (PRNG) functions.
PRNG is mainly used by browsers to generate the ‘client random’ sequence for the network packet at the very beginning of the TLS handshake.
“In order to patch the system’s PRNG functions, the developers used a small embedded Intel instruction length disassembler. “
In this case, Reductor malware adds the encrypted hardware and software identifier to the ‘client random’ field.
According to Kaspersky research ” The Reductor malware does not carry out a man-in-the-middle (MitM) attack itself. However, our initial thought was that the installed certificates may facilitate MitM attacks on TLS traffic; and the ‘client random’ field, with the unique ID in the handshake, would identify the traffic of interest.”
Researchers finally observed the operations with the help of telemetry data, attackers already have some control over the target’s network channel, through that they are replacing the malicious installer with a legit one.
Reductor Malware Infection and Features
Two different methods that Reductor mainly used to attack the target. In the first scenario, an attacker using the malicious software installer and launch it through Internet Download Manager, Office Activator.
In another way, the attackers taking advantage of already infected victims with the COMpfun Trojan and abusing the browser address space to receive the trojan from the command and control server.
“All C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the /query.php scripts on the C2s listed in its configuration. The POST query contains the target’s unique hardware ID encrypted with AES 128.”
There are various commands received from the C2 server to malware to perform the different operation such as download( downfile) & upload files (upfile), find the hostname, renew the digital certificate installed on the host, create a new process(execfile), delete the file path(deletefile), checking the internet connection and more.
Researchers didn’t observe any MitM attacks but as we said above, Reductor can install digital certificates and mark the targets’ TLS traffic to performing the subsequent traffic manipulation.
Indicator of Compromise