Researchers have discovered a new malware strain, dubbed Reductor, that allows hackers to manipulate Hypertext Transfer Protocol Secure (HTTPS) traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server.
Once infected, Reductor is used to spy on a victim’s browser activity, said the Global Research and Analysis Team (GReAT) at Kaspersky, which discovered the malware. Researchers said Reductor is being used for cyber espionage on diplomatic entities that are part of the post-Soviet republics known as Commonwealth of Independent States.
While unique, researchers said Reductor has close ties to the COMpfun trojan. The COMpfun malware was initially documented by researchers at G-DATA in 2014. Since then, Kaspersky has linked COMpfun to the Russian-speaking advanced persistence threat group Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros). However, Kaspersky said a direct link to Turla is unclear.