Skip to main content

Malware Targets Chrome and Firefox To Sniff Encrypted Traffic

(Image credit: Shutterstock)

Cybersecurity experts at Kaspersky identified a string of malware that affects encrypted communication by modifying Chrome and Firefox install files. They first discovered the malicious code in April of 2019 and released an analysis of their findings this week.

The team at Kaspersky calls the new malware Reductor. It's a type of malware known as a remote access trojan (RAT for short). RAT malware opens a machine to vulnerabilities across a network, where malicious users can upload and download data or even execute code on the machine from a remote location.

The programmers behind Reductor went above and beyond with their creation—the official announcement from Kaspersky even called it "impressive." Reductor works by modifying Chrome and Firefox local installation files. It then marks outbound TLS traffic with a unique identifier. This fingerprint makes it possible to track the following traffic, even when using an encrypted channel.

"Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly," Kaspersky stated.

As of October, only targets in Russia and Belarus have been identified. The end goal of Reductor isn't clear as of yet. The team speculates it may be a form of redundancy in case a person removes the Reductor trojan from the computer.

According to Kaspersky, the Kaspersky Attribution Engine showed significant similarities between Reductor and a previous string of malware known as COMPfun, initially documented in 2014. Because of these similarities, the team is quite sure Reductor and COMPfun comes from the same developers.