According to researchers, the hacking team APT Turla attacks on networks via a new malware, called Reducer and is considered a successor to COMpfun. The software function in violation of the encrypted online activity that it offers protocol TLS.
Reductor works as a RAT and has the capability to download, download and perform various tasks archives victims' networks, abusing various certificates.
As we said above, Reductor is considered a successor to COMPfun. Researchers have found strong similarities in the code of the two malware. They have also linked it with hacking Turla APT team.
The Turla APT team is also known as Venomous Bear or Waterbug. About 2004 has carried out some of the biggest attacks on government networks in the Europe, North and South America, the Middle East, Central and Far East.
Reductor attacks began in late July. Hackers used various means, such as Downloader Manager, WinRAR, and well-known pirates sites (warez) to distribute malware.
Violation of encrypted web traffic
Malware uses various certificates (root X509v3 certificates) and adds them to the victim's machine. Also, with his help named Pipe, hackers are able to add additional certificates.
Hackers can break the TLS protocol by simply analyzing Firefox's source code and binary code Chrome. This way they can control the pseudo number generating functions (PRNG).
PRNG is used by browsers to create the "client random" sequence. Reductor affects this field (client random).
Kaspersky researchers said: “Malicious Reductor program does not run man-in-the-middle attack (MitM). However, our initial thought was that the certificates it installs can facilitate MitM attacks on TLS traffic. And the "client random" field, with a unique ID, would facilitate the attack. "
The researchers found that Reductor made the attacks in two ways. The first way was to execute the malicious program through it Internet Download Manager, Office Activator.
The second way was exploiting systems already infected with COMpfun Trojan. That way the hackers could receive various data from the command and control server.
There are various commands received from the C2 server that allow to perform various functions such as downloading and uploading files, finding the host name, updating the digital certificate, creating new processes, deleting files, checking the connection to Internet And much more.
The researchers did not observe man-in-the-middle attacks but Reductor is able to install digital certificates on the target computer and affect the online activity of the victims.