Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic

A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers’ internal components.

The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.

Attack blamed on Turla

This type of novel attack has been attributed to Turla, a well-known hacker group believed to operate under the protection of the Russian government.

According to a Kaspersky report published this week, hackers are infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers.

This process involves two steps. They first install their own digital certificates to each infected host. This would allow hackers to intercept any TLS traffic originating from the host.

Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.

Turla hackers are using these tainted PRNG functions to add a small fingerprint at the start of every new TLS connection. The structure of this fingerprint goes as follows, as explained by Kaspersky researchers in a report released today:

• The first four-byte hash (cert_hash) is built using all of Reductor’s digital certificates. For each of them, the hash’s initial value is the X509 version number. Then they are sequentially XORed with all four-byte values from the serial number. All the counted hashes are XOR-ed with each other to build the final one. The operators know this value for every victim, because it’s built using their digital certificates.
• The second four-byte hash (hwid_hash) is based on the target’s hardware properties: SMBIOS date and version, Video BIOS date and version and hard drive volume ID. The operators know this value for every victim because it’s used for the C2 communication protocol.
• The latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo random, but with the unique host ID encrypted inside.

Post-removal tracking mechanism?

Kaspersky didn’t have an explanation of why Turla hackers were doing this. Whatever it was, it wasn’t for breaking a user’s encrypted traffic.

The Reductor RAT that was present on users’ devices would have allowed hackers full control over a victim’s device already, including the ability to watch a victim’s network traffic in real-time.

However, one possible explanation is that hackers were using the TLS fingerprint as a secondary surveillance mechanism in case victims found and removed the Reductor trojan, but didn’t reinstall their browsers.

With the TLS fingerprint in place, the Turla group would be able to spot the victim’s encrypted traffic stream while it connected to various websites across the web.

This “theory” that ZDNet heard from several security researchers would also means that Turla would be in a position to passively observe HTTPS traffic across the web. Coincidentally, this is confirmed by the Kaspersky report.

Kaspersky researchers said they tracked the initial Reductor trojan infections to software downloads victims made from legitimate websites or “warez” sites.

Researchers said those websites never hosted Reductor-infected files, so the only way Turla hackers modified those files was while they were in transit across the internet.

Because the downloads also took place via HTTP, replacing the legitimate files with the tainted ones would have actually been a pretty trivial task, Kaspersky said.

However, this would mean that Turla hackers also had control or had compromised an internet service provider, in order to sniff all traffic and replace the legitimate files with tainted ones.

But this isn’t a stretch for the Russian hackers, and they’ve been seen doing the very same before. A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files.

It is possible that those ISP compromises happened again, but this time, instead of the Mosquito trojan, they deployed Reductor.

Normal Turla procedures

All in all, Turla has been one of today’s most sophisticated hacker groups, by a very wide margin. The tricks and techniques the group uses are years ahead of everyone else.

The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos, has developed email server backdoors that received commands via spam-looking messages, and has hacked other countries’ cyber-espionage hacker groups.

This is also not the first time when Turla alters a browser component to deploy malware on infected hosts. The group has previously installed a backdoored Firefox add-on in victims’ browsers back in 2015 [1, 2], which it used to keep an eye on the user’s web traffic.

Patching Chrome and Firefox just to be able to track a victim’s HTTPS traffic while they’ve been kicked off a workstations fits with their previous pattern of highly clever hacks and techniques.