Rewterz Threat Alert – Reductor Infects Files on the Fly to Compromise TLS Traffic

Friday, October 4, 2019



Analysis Summary

Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. Reductor has been linked to Turla APT, based on the victimology. Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.

The malware adds digital certificates from its data section to the target host and allows the operators to add additional certificates remotely through a named pipe. The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory.

In the first scenario, the attackers use infected software installers with 32- and 64-bit versions of Reductor included. These installers may be for popular Internet Download Manager, Office Activator, etc. In the second scenario, the targets are already infected with the COMpfun Trojan, which uses COM CLSID for persistence. After getting into the browser’s address space, the Trojan can receive the command to download additional modules from the C2. As a result, the target’s browser downloaded Reductor’s custom dropper-decryptor.
Reductor samples hold DER-encoded root X509v3 certificates in the .data section to add on the target hosts.


Data Manipulation

Indicators of Compromise

IP(s) / Hostname(s)

  • compfun[.]net
  • adstat[.]pw
  • bill-tat[.]pw

Malware Hash (MD5/SHA1/SH256)

  • 7911F8D717DC9D7A78D99E687A12D7AD
  • 4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1
  • e49666f7882f299c2845c7e31e3d842a387ef10d


  • Block the threat indicators at their respective controls.
  • Keep software like IDM and WinRAR updated to the latest patched versions.
  • Do not download software from untrusted sources.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 10, January 2020 Rewterz Threat Advisory – CVE-2020-1600 – Juniper Networks Junos OS Denial of Service in the RPD daemon
  • 10, January 2020 Rewterz Threat Alert – Bank of America Phishing Campaign
  • 10, January 2020 Rewterz Threat Alert – LiquorBot Botnet
  • 10, January 2020 Rewterz Threat Advisory – CVE-2019-16005 – Cisco Webex Video Mesh Node Command Injection Vulnerability

Copyright © Rewterz. All rights reserved.