Security researchers at Kaspersky have identified a new strain of malware affecting Chrome and Firefox browsers. The researchers say the malware's authors "put a lot of effort" into how it manipulates digital certificates and mucks with outbound TLS traffic, which ultimate compromises encrypted communications.
"Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have," Kaspersky says.
The malware allows an attacker to wreak havoc on a victim's PC remotely. On affected machines, a remote access trojan (RAT) called "Reductor" modifies both locally installed instances of Chrome and Firefox, altering how each one behaves. What's disturbing (or "impressive") about this malware is that it essentially fingerprints the victim, allowing the attacker to track a user, even when using HTTPS.
"Reductor adds its own ‘victim id’ inside TLS packets. The first four-byte hash (cert_hash) is built using all of Reductor’s digital certificates. For each of them, the hash’s initial value is the X509 version number. Then they are sequentially XORed with all four-byte values from the serial number. All the counted hashes are XOR-ed with each other to build the final one. The operators know this value for every victim, because it’s built using their digital certificates," Kaspersky explains.
There's a second four-byte hash as well, which is based on a victim's hardware properties, including SMBIOS date and version, video BIOS date and version, and hard drive volume ID.
Kaspersky believes a Russian hacking organization known as Turla is behind this sophisticated scheme. In the past, Turla has demonstrated "many innovative ways" of accomplishing its hacking goals, like using hijacked satellite infrastructure.
Interestingly, it is not entirely clear what Turla's end goal is with this new malware. After all, if a system is already infected with a RAT, which is the first step in this case, altering a user's browsers to spy on them is redundant. One possible explanation that's been floated around is this could be a safety net of sorts (for the hacker), in case a person removes the Reductor trojan from their PC.
Kaspersky says the current campaign using Reductor began at the end of April and has remained active ever since. However, it has only identified targets in Russia and Belarus so far.