Russian Hackers Modify Chrome & Firefox to Track TLS Web Traffic

Hacking is flourishing with the advancement of technologies. In the same line, a group of hackers from Russia has been found hacking the locally used browsers, Chrome and Firefox. The purpose of the hackers is to modify the 2 browsers’ HTTP set up. This group of hackers intent to add a fingerprint for TLS-encrypted web traffic per victim that source from the hacked systems.

Turla is the name of this hacking group which is well-known for working under the protection of the Russian government. This week, Kaspersky published a report wherein they stated that victims are infected by hackers through a trojan that works remotely. The name of this Trojan is, ‘Reductor’. The same technique they are using in these two browsers.

The whole process contains two major steps. Firstly, hackers have to install their own digital certificates to every infected host system. By this, hackers get the TLS traffic information from the suspected computer. Second is, in order to modify the Chrome and Firefox browsers, hackers make use of pseudo-random number generation (PRNG) functions. If you don’t know PRNG, it is used for generating random numbers and setting up new TLS handshakes for establishing HTTPS connections.

At the start of all TLS connections, Turla – The hacking group make use of these PRNG function for adding a fingerprint. Kaspersky researchers have explained in their report which is released today itself, the following structure –

  • The first four-byte hash (cert_hash) is built using all of the Reductor’s digital certificates. For each of them, the hash’s initial value is the X509 version number. Then they are sequentially XORed with all four-byte values from the serial number. All the counted hashes are XOR-ed with each other to build the final one. The operators know this value for every victim because it’s built using their digital certificates
  • The second four-byte hash (hwid_hash) is based on the target’s hardware properties: SMBIOS date and version, Video BIOS date and version and hard drive volume ID. The operators know this value for every victim because it’s used for the C2 communication protocol.
  • The latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR key changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo-random, but with the unique host, ID encrypted inside.

Kaspersky hasn’t explained the reason behind the hacking of web browsers by Turla. However, it makes sure one thing that, all this hasn’t done for tweaking the user’s encrypted traffic. The ‘Reductor’ gives complete information about the targeted system to hackers. In fact, RAT (Reductor) also enables hackers to know real-time network traffic. Without any sure verdict, it can be assumed that the TLS fingerprint might be used as alternate surveillance by the hackers.

With the help of the TLS fingerprint, Turla group hackers can successfully know the encrypted traffic of websites while connecting to them in real-time.

Altogether, Turla is considered as the most prominent hacking group at present globally. The way they work and techniques used by them are far better than others doing the same job. For your information, Turla has been known for hijacking and utilizing telecommunication satellites in order to emit malware worldwide. Also, this is not the first instance of Turla group attacking web browsers and intruding malware on the host’s systems.

This group has also installed the backdoored Firefox add-on in victims’ browsers back in 2015 for watching the activities including traffic results of websites in real-time.

This time again they are patching the two widely used browsers, Chrome and Firefox, to track the HTTP traffic on the victim’s address. their past clever hacks and techniques. are helping them in doing so.


Please enter your comment!
Please enter your name here