Hackers are Tracing Encrypted Traffic Throughout the Web by Patching Browsers!

It is said that the hackers should never be underestimated. Recently, a new piece of malware was discovered by the researchers that can recognize the encrypted traffic from a victim’s system by patching browsers (Chrome and Firefox).

The threat assists in performing man-in-the-middle (MitM) attacks on encrypted traffic by adding to the Transport Layer Security (TLS) certificates of the victim host.

The threat in question is called Reductor and it was discovered in a campaign that probably ran from the end of April to around August. It also comes with a variety of remote access functions such as upload, download, and execute files.

The key to marking the encrypted traffic of concern deserves some explanation. The actors patched their pseudo-random number generator (PRNG) functions after properly analyzing the code in Mozilla Firefox and Google Chrome.

What the PRNG function basically does in browsers is that it produces a random number sequence at the starting of a packet for the initial handshake, while the server is dealing with the encrypted connection.

Reductor changes the browsers’ PRNG code to incorporate hardware and software-rooted identifiers that are unique for every target. Through this approach, encrypted traffic from a compromised host can be easily followed throughout the web.

Speaking about the technical aspect, Reductor maintains the pseudo-random nature of the PRNG by utilizing certificates (cert_hash) that are sent to the host’s system and continuously XORed for the initial four-byte hash. The hardware properties (hwid_hash) of the system are used for the creation of the next four-byte hash.

The initial PRN XOR key is used in the encryption of the latter three fields. With each passing round, the key changes with the MUL0x48C27395 MOD 0x7FFFFFFFalgorithm. This leads to the bytes staying pseudo random and at the same time, containing an encrypted unique host ID.

For those saying that Reductor conducts a MitM attack, it is not entirely true. The installed certificates assist in this task and switch the genuine installer with a malicious alternative on the spot.

The researchers confirmed the above-mentioned statement after finding that the installers at the source weren’t infected. However, the victim was provided a compromised version.

Additionally, it should be noted that as the researchers had no access to the activities transpiring on the server side, their analysis is solely based on the behavior of the client.

Kaspersky researchers also discovered that Reductor’s code strongly resembles that of COMPfun, a 2014 trojan rumored to be associated with the Turla APT group.

Read next: A new Technique used by hackers to hijack PCs to turn them into proxies
Previous Post Next Post