According to a Kaspersky report published this week, hackers are infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers. This process involves two steps. They first install their own digital certificates to each infected host. This would allow hackers to intercept any TLS traffic originating from the host. Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.
Turla hackers are using these tainted PRNG functions to add a small fingerprint at the start of every new TLS connection.
The attack is being attributed to Turla, “a well-known hacker group believed to operate under the protection of the Russian government,” ZDNet reports. And though the remote-access trojan already grants full control over a victim’s device, one theory is the modified browsers offer “a secondary surveillance mechanism” if that trojan was discovered and removed. Researchers believe the malware is installed during file transfers over HTTP connections, suggesting an ISP had been compromised, according to the article.
“A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files.”