Turla Group Uses Reductor RAT to Compromise TLS Traffic

Delaware, USA – October 4, 2019 – The new sophisticated remote access trojan by Turla APT not only provides attackers with full access to the victim’s system but also modifies Chrome and Firefox browsers to manipulate digital certificates and mark outbound TLS traffic with unique host-related identifiers. Kaspersky Lab researchers discovered Reductor RAT during the investigation into an attack in which legitimate files were replaced by infected files right during the downloading process. This trojan is probably a successor of another group tool – COMPfun, which in some cases was used as a downloader for the Reductor. The new malware has all the usual functions of a trojan but also installs own digital certificates, unique to each infected host, and patches pseudo-random number generation functions in Chrome and Firefox. The installed certificates allow attackers to intercept any TLS traffic, and patched browsers add unique fingerprints for the TLS-encrypted web traffic, so Turla hackers will be able to intercept traffic and replace downloading files with infected ones.

Such complex manipulations will make it possible to quickly reinfect the target organization in the case of attack detection and removal of Reductor RAT. Of course, for this, it is necessary to control the traffic of organizations through compromised internet service providers, but Turla APT has such operations in its portfolio. The group is notorious for resonant operations and advanced malware, such as the hijacking infrastructure of another APT group to conduct the attack or LightNeuron backdoor that completely controls traffic on the infected server including email interception, as well as sending, forwarding, blocking and editing correspondence. You can learn more about techniques and tools used by this group on Threat Detection Marketplace in Mitre ATT&CK section: https://tdm.socprime.com/att-ck/