Infection manipulates browsers to snoop on TLS comms
Kaspersky says it has uncovered a new malware infection that is able to decode encrypted TLS traffic without the need to intercept or manipulate it.
Known as Reductor, the malware was spotted in April of this year and is believed to be the work of an espionage-focused hacking crew known as Turla. The malware is thought to be connected to an earlier trojan called 'COMpFun'.
What makes Reductor unique, says Kaspersky's team, is its ability to manipulate TLS certificates. This, in turn allows the infection to present other malware installers as legitimate software.
"Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers," kaspersky warns encryption busting reductor malware
