Rewterz Threat Alert – Reductor Infects Files on the Fly to Compromise TLS Traffic

Friday, October 4, 2019

Severity

Medium

Analysis Summary

Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. Reductor has been linked to Turla APT, based on the victimology. Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.

The malware adds digital certificates from its data section to the target host and allows the operators to add additional certificates remotely through a named pipe. The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory.

In the first scenario, the attackers use infected software installers with 32- and 64-bit versions of Reductor included. These installers may be for popular Internet Download Manager, Office Activator, etc. In the second scenario, the targets are already infected with the COMpfun Trojan, which uses COM CLSID for persistence. After getting into the browser’s address space, the Trojan can receive the command to download additional modules from the C2. As a result, the target’s browser downloaded Reductor’s custom dropper-decryptor.
Reductor samples hold DER-encoded root X509v3 certificates in the .data section to add on the target hosts.

Impact

Data Manipulation

Indicators of Compromise

IP(s) / Hostname(s)

  • compfun[.]net
  • adstat[.]pw
  • bill-tat[.]pw

Malware Hash (MD5/SHA1/SH256)

  • 7911F8D717DC9D7A78D99E687A12D7AD
  • 4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1
  • e49666f7882f299c2845c7e31e3d842a387ef10d

Remediation

  • Block the threat indicators at their respective controls.
  • Keep software like IDM and WinRAR updated to the latest patched versions.
  • Do not download software from untrusted sources.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 12, November 2019 Rewterz Threat Alert – Sodinokibi Ransomware Targeting Asia via the RIG Exploit Kit
  • 12, November 2019 Rewterz Threat Alert – Scammers Abusing a New Firefox Browser Lock Bug
  • 11, November 2019 Rewterz Threat Alert – Variant of Adwind RAT Targets Petroleum Sector
  • 11, November 2019 Rewterz Threat Alert – Titanium Malware: the Platinum group strikes again

Copyright © Rewterz. All rights reserved.