A security team of experts have discovered a new generation of malware that is created by the Turla hacking group and is called the Reductor Trojan. According to the available research it is a successor to the already released COMpfun malware which was initially reported about back in 2014. The active campaigns that carry it appear to be against targets located in Belarus and Russia.
Reductor Trojan Is The Newest Dangerous Malware By The Turla Hackers
The Turla hacking group is an experienced group which has devised a dangerous new threat known as the Reductor Trojan. It is also being distributed by a whole new technique.
The malware module is believed to happen through a new approach that is not the classical man-in-the-middle attack which is typical of these cases. Instead the malware will install security certificates in the web browsers thus allowing the remote attackers to hijack secure sessions and private information. The likey method which has been been used by the attackers is the distribution of malware-infected application installers of web browsers. A likely place to find them is to upload them to “warez” sites — shady sites that present pirate apps and data which are usually operated by hackers or scammers. There are two likely scenarios in this case:
- Copycat Installers — The hackers can impersonate the legitimate setup bundles of the popular browsers — the most popular ones are Mozilla Firefox and Google Chrome.
- Modified App Installers & Custom Versions — The hackers can create “updated” or “optimized” versions of the common web browsers and present them onto the fake sites. The other technique is to create fake new browsers which are merely rebranded versions of the popular applications that feature the virus code.
At any time the distribution techniques can shift to other methods: the use of file-sharing networks and the inclusion of links to the malware pages via email messages and social network profiles that are either hacked or fake.
The Reductor Trojan And Its Capabilities
As soon as the Reductor Trojan is deployed on a given system its main engine will be started. It will connect to a hacker-controlled server which allows the hackers to take over control of the hosts, steal their files and also install other threats.
What’s dangerous is the fact that the Trojan will be able to hijack all sensitive and secure traffic that flows from the users to Internet pages and vice-versa. By running the relevant engine the criminals can conduct a variety of dangerous actions. The captured samples have been found to allow the following:
- hostinfo — This command will retrieve the computer’s hostname
- gettimeout — This will retrieve the timeout value from the Windows Registry
- domainlist — This will transmit the currently used C&C server domain
- downfile — This will download a given file from the infected computer
- upfile — This will upload a file to the contaminated computer
- options — Allows the hackers to edit out certain values in the Windows Registry
- execfile — This will execute a given file on the remote host
- nop — Idle
- kill — This will delete all files and data that are associated with the Reductor Trojan. This includes the digital certificates, files, cookies, Windows Registry values and any related modules
- deletefile — This will delete a file at a given location
- certlist — This will renew the digital certificates of the installed malware
In addition to the main Trojan engine itself the hackers will probably enable common modules including the persistent installation one. It will edit the boot configuration options thus allowing the main engine to start as soon as the operating system is booted. In many cases this will also disable access to the recovery boot options. The fact that the hackers target secure traffic gives us reasons to believe that the hacking group is probably attempting to hijack online banking sessions. However other scenarios are also likely to be used for stealing of sensitive data, as well surveillance of high-profile targets.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: