Kaspersky specialists have found a new web threat. It is a trojan created by the Russian hackers which infect Google Chrome and Firefox web browsers.
A Russian cyber-espionage hacker group, named as Turla, is found to be behind this attack that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers’ internal components. The patching alters the way the two browsers set up HTTPS connections and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.
How Russian hackers attack Chrome and Firefox browsers?
Turla, which is believed to operate under the protection of the Russian government, is infecting victims with a remote access trojan named Reductor, through which they are modifying the two browsers.
The attack involves two steps – First – They install their own digital certificates to each infected host. This enables them to intercept any TLS traffic originating from the host.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
Second, they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions. These functions are used when generating random numbers needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections.
Turla is inflicting an advanced attack
Most of the criminals focus exclusively on exploiting security vulnerabilities in browsers. However, Team Turla has gone one step further. They infect systems with remote access trojan and uses it to modify browsers.
In the past, Turla has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe. They had developed a malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos. They also had developed email server backdoors that received commands via spam-looking messages.
However, this is also not the first time when Turla has released a code that alters a browser component to deploy malware on infected hosts. The group has previously installed a backdoored Firefox add-on in victims’ browsers back in 2015 which they used to keep an eye on the user’s web traffic.