New Reductor Nation-State Malware Compromises TLS

Kaspersky has a detailed blog post about a new piece of sophisticated malware that it's calling Reductor. The malware is able to compromise TLS traffic by infecting the computer with hacked TLS engine substituted on the fly, "marking" infected TLS handshakes by compromising the underlining random-number generator, and adding new digital certificates. The result is that the attacker can identify, intercept, and decrypt TLS traffic from the infected computer.

The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we're quite sure the new malware was developed by the COMPfun authors.

The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn't identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.

[...]

Turla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite infrastructure. This time, if we're right that Turla is the actor behind this new wave of attacks, then with Reductor it has implemented a very interesting way to mark a host's encrypted TLS traffic by patching the browser without parsing network packets. The victimology for this new campaign aligns with previous Turla interests.

We didn't observe any MitM functionality in the analyzed malware samples. However, Reductor is able to install digital certificates and mark the targets' TLS traffic. It uses infected installers for initial infection through HTTP downloads from warez websites. The fact the original files on these sites are not infected also points to evidence of subsequent traffic manipulation.

The attribution chain from Reductor to COMPfun to Turla is thin. Speculation is that the attacker behind all of this is Russia.

Posted on October 10, 2019 at 1:49 PM • 19 Comments

Comments

IsmarOctober 10, 2019 3:32 PM

“The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory.”

Ok, to me this reads as some sort of code injection into the browser process . The question I have is how is this possible/ allowed without having admin rights on the machine where the browser is running?

SpaceLifeFormOctober 10, 2019 3:46 PM

It is a Windows attack.

Seriously, if you use Windows, you are low hanging fruit.

Just. Don't.

Clive RobinsonOctober 10, 2019 4:30 PM

@ Ismar,

The question I have is how is this possible/ allowed without having admin rights on the machine where the browser is running?

Kaspersky say,

    We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.

Which suggests the users are doing it to themselves in some way via infected downloads. Thus it's in part a "chain of trust" issue...

But there are other ways these days that don't require getting privileged code onto a system.

Ever hear of a "reach around attack"? Overly simply the CPU level of the computing stack is where security happens. Even though lower level hardware such as the MMU and DMA do the heavy lift of such security they only checks direct read and write functions that go through them. Thus any modification to memory via another route/mechanism will not be detected.

The problem with this lack of detection is the information used to set the lower level security mechanisms up is read by the CPU from memory then coppied into those devices. Thus anything that can manipulate core memory without triggering the hardware can change it's privilege and other security attributes.

Such memory can be altered in various ways, one is through the IO device drivers and hardware, and hardware failings is another way.

RowHammer might be long in the tooth but it can give you an idea of how an unprivileged process by rapidly writing to memory addresses that have a corelation to say the Page Table addresses that are privileged can be changed. The unprivileged process is not writing directly to privileged memory, it is simply using a fault in the way the DRAM has been designed to get bits in other memory addresses to flip.

In effect RowHammer "reached around" not just the CPU but MMU and other hardware security mechanisms.

Thus whilst a process might be unprivileged it could become privileged or do other tricks, and software will be insufficient to guaranty that such attacks fail, likewise the hardware security mechanisms.

The main point people should take away is that "core memory" is vulnerable in various ways. Thus security configuration information should not be kept in core memory.

The problem, all the general use CPU's currently only have core memory...

I guess we are going to have to wait a little while for the full details to come out, but I'm guessing on a software fault first.

Clive RobinsonOctober 10, 2019 5:02 PM

@ SpaceLifeForm,

Seriously, if you use Windows, you are low hanging fruit.

The problem is that with commodity OS's including Linux, low hanging fruit is not as relevent as it was a few decades ago. That is Microsoft, Apple and GNU/Linux all have a sufficient market share to be a "target rich environment"

For the idea that protection on the low hanging fruit principle can be a consideration the OS needs to be rare enough that the potential ROI for Cyber-criminal type attackers is too small to profit by. However that most certainly not apply if the attack is "state level" or above funded and used for targeted attacks against "persons of interest".

As I've indicated in the past if you want even moderate privacy or minimal security then you need to take the security end point off of the computer used for communications.

I know people don't want to hear that, but that is the way the world has gone.

Even the old option of using a CD/DVD image from the front of a magazine to boot the entire OS into RAM fresh each time is nolonger going to work if you are a person of interest...

What we realy need is computers designed along the EmSec Segregation ideas. For instance if this random number generator for TLS was in an independent device using appropriate segregation then this attack would probably need to be re-thought out.

From the privacy let alone security asspect our computers are nolonger "fit for purpose". Not that it's in any Government or Corporations interest to come out with more secure hardware. After all they both want to snoop on your every keyboard and mouse click...

RealFakeNewsOctober 10, 2019 5:55 PM

Is it me or is the real point of this article "attribution"?

The people were targeted; whoever attacked them had sufficient access to manipulate their connections up-stream, and can presumably even control packet routing (though I don't see it mentioned) in order to filter out the compromised TLS packets of interest, (again) presumably through a limited set of gateways the attackers control.

I think the compromise of the web browser is trivial to what went on here.

What was the target? Presumably sensitive information contained on a web site that is much harder to break.

If they're infecting downloads from a piracy website, presumably the target is far more valuable than to simply apprehend for copyright infringement.

Lots of "presumably" here.

What was so important they needed this level of attack? Secure remote e-mail?

Surely these people would be aware they might be a target by the state?

Something stinks about the whole thing. Why worry about attribution when they're being so vague on the why? They obviously know but refuse to say.

FUD is useless.

Unplug your important systems from the 'net. When will peole get the memo?

Clive RobinsonOctober 10, 2019 6:54 PM

@ All,

If you read the R article you get two rather different outlook paragraphs,

    “It is sophisticated malware that’s linked to other Russian exploits, uses encryption and targets western governments. It has Russian paw prints all over it,” said Jim Lewis, a former U.S. foreign service officer, now senior fellow at the Center for Strategic and International Studies in Washington.
    However, security experts caution that while the case for saying Turla looks Russian may be strong, it is impossible to confirm those suspicions unless Moscow claims responsibility. Developers often use techniques to cloud their identity.

The first from what appears to be a Washington Insider is quite gung-ho. Whilst the second from what appears to be independent security researchers is more restrained.

It suggests that security researchers are growing up and coming out from under the political shadow of various government agencies. Which actually looks promising as it suggests "investigator led" not "inteligence led" is starting to come to the fore which kind of makes it less likely that certain Governments will go to "Kinetic Response".

My prefrence would be that such investigations to follow civil/police processes that lead to criminal sanctions against those who are probably guilty, rather than military type "target selection" processes that will lead to collateral damage, thus political fall out and potential military response and escalation.

Especially when you consider the number of times a group of supposed mountain goat herders out witted US military intelligence. Thereby deliberatly caused drone strikes on civilian populations. Causing in turn further collateral damage that was highly embarrassing to various political leaders in the west.

BobOctober 11, 2019 1:27 PM

@SpaceLifeForm

Sure thing. I'll have all the accountants, lawyers, and administrative assistants here on Linux in no time. Any thoughts on what I should tell them when none of their industry-specific software works on their new systems?

SpaceLifeFormOctober 11, 2019 3:49 PM

@Bob

Excellent point.

But, this attack goes thru lsass.exe of which so many attacks do.

I've been trying to get people off of Windows for 20 years.

But, they can't. The user always seems to be locked in to at least one application that only runs on Windows.

@Clive is correct, it's not just a Windows issue.

But, if Microsoft were to open source Windows, a lot of holes would be found.

But, they will not.

Clive RobinsonOctober 11, 2019 5:55 PM

@ SpaceLifeForm,

But, if Microsoft were to open source Windows, a lot of holes would be found.

They kind of did...

If you remember back to the NT4/5 days both the Chinese and Russian governments forced MicroSoft to give them the source code... Microsoft made a business decision and signed up to doing that without a blink...

I have no idea if either government went through the source looking for vulnerabilities to make exploits or not. The point is Microsoft like many corporates takes a very very short term profit view and security etc realy does not get a look in on that.

The "take away" lesson is,

    All consumer / commodity OS's from the US and other Western Nations realy are "Open Source" if you have the leverage

I kind of mention this from time to time, and as others have noted, many who develope exploits don't bother with the "source code" as that is not the way they groove.

It is actually not hard to see why, these days as most potential attack vectors are not "basic code errors" any more but functional / business logic, protocol or standard errors. You can find these with the likes of automated fuzzing tools faster than reading through lots of high level source code.

MichealOctober 12, 2019 4:13 AM

I like it is actually not hard to see why, these days as most potential attack vectors are not "basic code errors" any more but functional / business logic, protocol or standard errors. You can find these with the likes of automated fuzzing tools faster than reading through lots of high level source code.

Cesar T. SimsOctober 14, 2019 2:34 AM

We called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers.
Track Jacket

meOctober 15, 2019 5:51 AM

@Ismar
> The question I have is how is this possible/ allowed without having admin rights on the machine where the browser is running?

It's possible, perfectly normal and windows give you functions to do so, you need two steps:
1- first you call windows api "OpenProcess" (https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess)

2- then you call "WritePRocessMemory" (https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory) to write what you want.

open process is kind of asking permission to do things with other processes: kill, pause, edit memory, getting info...
open process will work always, it fails only if a not admin process try to open an admin one but if both have same privileges it will work.

write process memory, well as the name say it can write to ram of other processes.
combined with the read it's commonly used for example by cheaters in games to change number of lives, antivirus or anticheat to inspect other programs...
or virus to mess with your pc.

meOctober 15, 2019 6:02 AM

@Clive Robinson @all
there is no need to use some complex method like rowhammer, windows gives you the functions to edit memory.
if someone is interested i could make a working proof of concept that patch random number generator used by minesweeper windows game so that mines are placed all up in line so you one click win.

Chris DrakeOctober 15, 2019 5:43 PM

Is this a hoax? TLS does not work that way.

a) Both sides participate in the session key creation - a compromise at just one side doesn't break that.

b) The client verifies the certificate - a server making changes to that is still going to need to do those in a way that doesn't trip the client warnings (e.g. site matching, valid signature from a legit CA, etc)

Clive RobinsonOctober 15, 2019 11:02 PM

@ me,

there is no need to use some complex method like rowhammer, windows gives you the functions to edit memory.

Not with Microsoft[1], but for some other OS's you do.

But the point I was making is that there is no way you can actually stop someone with even limited access escalating their privileges due to failings well below the ISA level in the computing stack, due to hardware failings.

These hardware failings have been around for maybe a third of a century one way or another, and it's realy only recently people have got around to exploiting them.

The myth used to be that,

    If they have front panel access...

Which caused an "inverted thinking" issue in quite a few peoples security thinking, that boiled down to "if we can just keep them away from the front panel...". Which is just not true, hence my oft said bit about "gapping computers" not just the old "air gap" but with "energy-gapping" and properly mandated and instrumented crossing choke points.

What we don't know is if the likes of the NSA's tailored access bods have been exploiting low level hardware and if so for how long. All we realy know is that in the past they had a prefrence for going after routers and other non user systems, simply because it was more covert.

What we have some reason to believe[2] is that both the Dutch and Israeli SigInt entities have no qualms going onto user systems to effectively gather the nearst thing they can to HumInt, which they can only reliably do with some form of privilege elevation.

[1] Continuously kicking Microsoft, even though they right royaly deserve it, is a little like kicking a tin can down the road, it makes a lot of noise upsets some people and eventually you get bored with doing it...

[2] We have some reason to believe it because not only do we know it's possible to do, but US politicians "flapped their gums" and in effect "burned" the method. Because, like a number of usefull ideas "it's obvious with hindsight" so I would expect some of the more worldly wise level three attackers to "take it on board", and make the easy countermeasures.

WeatherOctober 16, 2019 1:39 PM

@Chris Drake
There was a ssh exploit in the part were it runs the encryption routine.
If you sent a certain cipher text, when ssh did a function all the key turned to 0x00.
It could do something like that.

EvilKiruOctober 16, 2019 2:33 PM

@Chris Drake, @Weather:

All you need to read TLS traffic is a man-in-the-middle exploit, like the traffic appliances that many companies and some ISPs use that allows them to intercept, sniff, and alter TLS traffic that originates from within their network.

WeatherOctober 16, 2019 3:13 PM

@EvilKiru
Yes but I'm shore they are running ssh, or if you don't have that physical access, it is still possible.

judyNovember 9, 2019 12:54 AM

This is something that is very interesting that is being shared here, I would like to introduce my self as a fashion designer at an online store. This is my latest product that is The Hateful Eight Coat have a look once

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.