Two user favorite browsers are commonly known to be Google Chrome and Mozilla Firefox. Exploiting their demand, a Russian group by the handle of Turla has been attempting to track encrypted traffic of both browsers. With targets identified in Russia and Belarus; they do so by attacking the systems through a remote access trojan (RAT) which stealthily allows them to modify the browsers.
These trojans are believed to be downloaded from both legitimate sites and those that distribute pirated software. However, it is interesting to note that the websites in actuality never had any malicious files to download in the first place. Instead, when the user-initiated a legitimate download, the files were modified during transmission as the connection was being run on HTTP which makes it all the more easier.
Yet another dilemma arises here. How could they sniff all the traffic? To this, they must have compromised an Internet Service Provider (ISP) which given that the group is suspected to be supported by the Russian government is no big feat. To add to this, it is on record that Turla has compromised several ISPs in the past.
Once infected, they install their own digital certificates and then by analyzing the code of both browsers, they patch the pseudo-random number generation function in the memory by adding unique hardware & software based identifiers allowing them to follow the victim’s footsteps all over the internet as shown in the code snippets above.
The malware has been named Reductor and is believed to be a successor of the COMPfun trojan which was discovered in 2014 by Kaspersky Security. Elaborating, they explain “that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors.”
What makes this attack so mind-blowing is the capabilities that they have exhibited with the infecting files on the fly, something that “places the actor in a very exclusive club”. To swoop in a word of advice, stop downloading files through HTTP and you may just be saved.
This, however, is not the first time when Chrome and Firefox browsers have been targeted in one attack altogether. Last year, Vega Stealer malware was caught stealing saved passwords and credit/debit card data from Chrome and Firefox users.
In another incident, cyber criminals used fake Chrome and Firefox browser update to infect computers of unsuspected Windows users with malware and steal banking/payment card credentials.