#1280214: Hackers Patch Web Browsers to Track Encrypted Traffic

Description: Researchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.

The threat adds to the victim host Transport Layer Security (TLS) certificates, which help carry out man-in-the-middle (MitM) attacks on encrypted traffic.

Modifying browsers' PRNG functions
Named Reductor, the threat was spotted in a campaign at the end of April that continued at least until August. Apart from TLS traffic manipulation, it comes with the typical assortment of remote access functions - upload, download, and execute files.

The interesting part is the actor's solution to marking the encrypted traffic of interest. They studied the code in Mozilla Firefox and Google Chrome and patched their pseudo-random number generator (PRNG) functions.

The PRNG function is used in browsers to generate a random sequence of numbers at the beginning of a packet for the initial handshake, when the encrypted connection is negotiated with the server.

Reductor modifies the browsers' PRNG code to add hardware and software-based identifiers that are unique for each victim. This way, they can follow encrypted traffic from a compromised host all over the web.

"That places the actor in a very exclusive club, with capabilities that few other actors in the world have," say security researchers from Kaspersky.

To maintain the pseudo-random aspect of the PRNG, Reductor uses the certificates (cert_hash) it drops on the victim's computer that are XORed repeatedly for the first four-byte hash. The second four-byte hash is built using the hardware properties (hwid_hash) of the system - SMBIOS date and version, Video BIOS date and version and hard drive volume ID.

"The latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo random, but with the unique host ID encrypted inside."

Reductor does not run a MitM attack itself, but the installed certificates help with this objective and replace legitimate installer with a malicious variant "on the fly."

This theory was confirmed when the researchers found that the installers at the source were not tainted, yet the victim received a compromised version.

Certificate SHA1 fingerprint CA for root cert Valid till (GMT)
119B2BE9C17D8C7C5AB0FA1A17AAF69082BAB21D ie-paypal 2031.11.17 22:56:10
546F7A565920AEB0021A1D05525FF0B3DF51D020 GeoTrust Rsa CA 2031.11.17 22:56:10
959EB6C7F45B7C5C761D5B758E65D9EF7EA20CF3 GeoTrust Rsa CA 2031.11.17 22:56:10
992BACE0BC815E43626D59D790CEF50907C6EA9B VeriSign, Inc. 2031.11.17 22:56:10
The analysis is based on the behavior of the client the researchers had no visibility into what happened on the server side.

In their investigation, Kaspersky analysts found that Reductor has "strong code similarities" with COMPfun, a trojan from 2014 that they believe is linked to the Turla APT group. This connection, though, is based only on the victimology.
More info: https://www.bleepingcomputer.com/news/security/hackers-patch-web-browsers-to-track-encrypted-traffic/

Date added Oct. 9, 2019, 10:42 a.m.
Source Bleeping Computer
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Russia - New Reports in
  • Info on - SSH, SSL, TLS, STunnel etc.
  • Man in the Middle Attack (MitM)
  • Russia - KopiLuwak / JS/KopiLuwak JavaScript backdoor - Turla
  • Russia - Reductor / COMpFun Malware - Possibly Turla APT Group
  • Russia - Uroburos / Turla / Snake / Venomous Bear / Waterbug / Epic / Oroboros / Tavdig / Neuron / LightNeuron / Nautilus