Researchers at cybersecurity company Kaspersky Lab published a report this week detailing a Russian group’s attempts at taking a fingerprint of TLS-encrypted web traffic by modifying Chrome and Firefox web browsers.
The group, called Turla, is “believed to operate under the protection of the Russian government,” ZDNet notes.
Kaspersky researchers found that the group could infect systems with a remote access trojan and, from there, install their own digital certificates to each host. This technique enables them to intercept TLS traffic from the host.
Secondary method of monitoring targets
Kaspersky didn’t offer an explanation of why the hackers would do this. ZDNet noted that one possible motive might be that the group wanted to use the TLS fingerprint as a secondary traffic surveillance mechanism in case victims found and removed the trojan but didn't take the time to reinstall their browsers. Kaspersky’s researchers said they identified targets in Russia and Belarus.
“We registered two initial infection schemes: Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts,” the company said.
ZDNet added that this isn’t the first time Turla has modified a browser’s internal components.
“A January 2018 report from fellow cyber-security firm ESET revealed that Turla had compromised at least four ISPs before, in Eastern Europe and the former Soviet space, also with the purpose of tainting downloads and adding malware to legitimate files,” ZDNet reported.
“The group has previously installed a backdoored Firefox add-on in victims' browsers back in 2015, which it used to keep an eye on the user's web traffic,” the website added. “Patching Chrome and Firefox just to be able to track a victim's HTTPS traffic while they've been kicked off a workstations fits with their previous pattern of highly clever hacks and techniques.”