Encryption Breaking Malware “Reductor” Threatens Windows Users

Researchers at Kaspersky have uncovered a new highly sophisticated, high impact malware threat that breaks encryption:  Reductor.  According to the researchers, the malware “compromises encrypted web communications in an impressive way” and gives the threat actors behind it “capabilities that few other actors in the world have.” Reductor compromises the encrypted HTTPS communication, which enables the attacker to see all information and actions carried out by the web browser while leaving the victim completely unaware of the invasion.

According to the Kaspersky researchers, Reductor avoids touching any network packets, which would raise a red flag with security protections in place, and instead patch the PRNG functions of your Chrome or Firefox browser in the process memory. It also installs rogue digital certificates.  “This is another particularly clever move by the attackers, to mark the packets with a signature of their own but without touching the network packets at all,” Tweets John Opdenakker, Ethical Hacker. “It’s very hard to detect that the victims PRNG is manipulated by the attacker.”

Using the Kaspersky Attribution Engine, the researchers feel there is some evidence that Reductor uses the COMPfun Trojan as a downloader, and they have tentatively linked Reductor to Turla, an advanced espionage threat group also known as Venomous Bear or Snake.  The group is known to target high profile groups such as government, military and large commercial targets.

Internet Download Manager, Office Activator and WinRAR, as well as other Windows products, have all been mentioned as being used as vehicles to distribute the malware.  To minimize your risk of compromise “only install what you need, and only get your software directly from the vendor, developer or official market store,” web-based applications security specialist Sean Wright says, “and have antivirus protection installed, I recommend Windows Defender, which is both excellent and free.”