Browser manufacturers are implementing features such as HTTPS and TLS encryption to prevent sites from tracking users through various technologies. However, a particularly notorious group from Russia used COMPfun Trojan which “allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have. Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers.”
Kaspersky Labs’ investigation into the covert attack revealed that hackers managed to find a way to modify the Web browser so that TLS traffic designed to be secure and private would have a unique fingerprint. The way these hackers can do this is frightening. The hacker patched the installer for Google Chrome and Mozilla Firefox to include the special fingerprint feature when the browser is running. Kaspersky is unable to determine how and when the hacker will make changes, but hackers may make changes as soon as the user downloads the installer from a legitimate source.
For some hackers, this is a fairly high technical requirement because it means that hackers need to hack into Internet service providers and their networks. However, for a hacker organization called Tulsa, this may not be that difficult. The Tulsa organization is known for its connections to the Russian government and has participated in several hacking incidents against ISPs. Oddly enough, this kind of malware called Reductor is not really used to decrypt the user’s encrypted traffic, so this may be a way to covertly track user network activity.