Two user favorite browsers are commonly known to be Google Chrome and Mozilla Firefox. Exploiting their demand, a Russian group by the handle of Turla has been attempting to track encrypted traffic of both browsers. With targets identified in Russia and Belarus; they do so by attacking the systems through a remote access trojan (RAT) which stealthily allows them to modify the browsers.
These trojans are believed to be downloaded from both legitimate sites and those that distribute pirated software. However, it is interesting to note that the websites in actuality never had any malicious files to download in the first place. Instead, when the user-initiated a legitimate download, the files were modified during transmission as the connection was being run on HTTP which makes it all the more easier.
Yet another dilemma arises here. How could they sniff all the traffic? To this, they must have compromised an Internet Service Provider (ISP) which given that the group is suspected to be supported by the Russian government is no big feat. To add to this, it is on record that Turla has compromised several ISPs in the past.
Once infected, they install their own digital certificates and then by analyzing the code of both browsers, they patch the pseudo-random number generation function in the memory by adding unique hardware & software based identifiers allowing them to follow the victim’s footsteps al ..
Support the originator by clicking the read the rest link below.
