Researchers have now discovered new malware which hijacks victims’ interactions with HTTPS web pages by repairing the virtual random number generator. The number is used in establishing an encrypted and secure connection. The connections permit the actors the ability to spy on the user’s browser activity and also to install rogue digital certificates.
As the ‘’S’’ in HTTPS stands for secure, and it implies information exchanged among a browser and a website is not reachable to third parties, but there are still several ways by which a skillful and high-profile hacking group can interfere in this process.
Reductor is a tool designed for such interference and was used by cyberespionage in mainly CIS countries, usually on diplomatic entities. The reductor fundamentally monitor employees’ internet traffic. The modules found had Remote Administration Tool (RAT) functions, and in it the malware capabilities were unlimited to a great extent.
Now here, the question arises that what makes the reductor so smart and witty? How were attackers capable of installing malware on the targeted systems? And how they managed to avoid the HTTPS protections? Let’s read the remaining part of the post and get answers to all these questions.
How is the attack been made?
The reductor distributors have two primary attack vectors. One is comprised of downloading modules through COMPfun malware, which was previously attributed to the Russian-speaking threat actor. Another vector was known as trickier. In this vector, the attacker could patch clean software on the fly while it is downloaded from legitimate websites to users’ systems.
The software installers came from the warez sites, which provides free downloads of pirated software. However, the original installers are available on those sites that are not infected. Thus they would end up on the victim’s system carrying malware. Researchers also concluded that replacement happens on the fly and the reductor’s operators do have some control over the target’s network channel.
Once the reductor found its way to the victim’s device, it manipulates installed digital certificates, patching browser’s virtual random number generators used to encrypt the traffic which is coming from the user to HTTPS websites.
To recognize victims whose traffic is hijacked, the criminals will add unique hardware and software-based identifiers for each and will mark them with specific numbers in a not so random number generator. When the browser on the infected device is being patched so the threat actor receives all the actions and information performed with the browser. In this entire process, the victim remains unaware of anything that is happening around.
The researchers believed that they hadn’t seen malware developers interacting with browser encryption in such a way ever before. This way has allowed the attackers to stay well under the radar system for quite a long time. Moreover, the level of the attack method reveals that the developers of the reductor malware are highly skillful and professional.
The security experts, however, argue on one point that they couldn’t find any technical clues which might attach this malware to any known threat actor. They have given an alert to all the organizations while dealing with sensitive data and also warn them to go through regular security checks.
What happens after infection?
After a system is infected so, reductor moves on to surveil the internet communications. It does this by patching a browser’s virtual random number generators, used to encrypt the traffic between the user’s browser and a website through HTTPS. It also means that instead of attempting to manipulate the network packets themselves, the adversaries target the Chrome and Firefox browsers and their virtual random number generation functions.
The researchers express their views on it. They said that; attackers don’t touch the network packets at all, but instead, developers studied the Firefox source code and Chrome binary code to patch the corresponding pseudo-random number generation functions during the process memory.
The pseudo-random number generation (PRNG) is used throughout the cryptography. It is used during the making of a secure HTTPS connection between a client and a server or website and browser. After both browsers and websites negotiate a TLS handshake, the random number generator creates a random number, which is known as a pre-master secret. The number is used to secure the connection, but it needs to be unpredictable for the connection to become secure.
Making the random predictable
It is the point where the Reductor steps in and can change the unpredictable into predictable one. To manipulate the targeted system’s PRNG functions, the malware creator’s uses a small embedded Intel instruction-length dissembler as per the part of the attack sequence. By doing so, they place a small victim ID inside the TLS packet.
The unique ID which the reductor includes in the handshake of each TLS session helps in identifying the origin of the session on the wire while adding and removing the root certificates, which allows on decrypting the intercepted communications. In other words it means that the group is interested in stealth access to all encrypted communication authentication, content, credentials, and, most importantly, highly sensitive information.
Moreover, to maintain the persistent access, this vast variety of cryptography library function patches and TLS making along with root certification access and modification, shows a potential attempt to ease the TLS MitM attacks.
What should be done?
The cyber security statistics reveals that 230,000 malware are invented on a daily basis. To prevent yourself from being affected by malware, it is recommended to follow the tips described below:
● Perform regular security audit of an organization’s IT structure.
● Adopt proven security solutions equipped with web threat protection, which identifies and blocks threats that attempt to use encrypted channels the undetected system.
● Adopt essential endpoint protection and implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
● Provide the security operation center team with access to the latest threat intelligence, to remain updated with the new and emerging tools and techniques used by threat actors and cybercriminals.
● Conduct security awareness training sessions for staff, so they become aware of the risks associated with pirated software and how to differentiate them.
● According to phishing stats, 48% of the malicious email are work files. Don’t respond to any such emails which you are suspicious of.
With ever-increasing threats of cybersecurity, it is therefore essential to stick to all the recommendations and advice given by experts and follow them daily.