{ "id": "23c07c7c-67b3-4042-8814-9cfd34b56899", "created_at": "2026-04-06T00:08:31.627324Z", "updated_at": "2026-04-10T03:36:13.552902Z", "deleted_at": null, "sha1_hash": "522252d3cdad27809e833a007bc261605364d05b", "title": "COMpfun successor Reductor infects files on the fly to compromise TLS traffic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 158487, "plain_text": "COMpfun successor Reductor infects files on the fly to compromise\r\nTLS traffic\r\nBy GReAT\r\nPublished: 2019-10-03 · Archived: 2026-04-05 23:09:52 UTC\r\nIn April 2019, we discovered new malware that compromises encrypted web communications in an impressive\r\nway. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network\r\nchannel and could replace legitimate installers with infected ones on the fly. That places the actor in a very\r\nexclusive club, with capabilities that few other actors in the world have.\r\nWe called these new modules ‘Reductor’ after a .pdb path left in some samples. Besides typical RAT functions\r\nsuch as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating\r\ndigital certificates and marking outbound TLS traffic with unique host-related identifiers.\r\nThe Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan.\r\nMoreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in\r\none of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by\r\nthe COMPfun authors.\r\nThe COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didn’t identify which\r\nactor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our\r\ntelemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active\r\nat the time of writing (August 2019). We identified targets in Russia and Belarus.\r\nWe registered two initial infection schemes: Reductor spreads by either infecting popular software distributions\r\n(Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over\r\nHTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.\r\nHow to mark the TLS handshake without even touching the traffic\r\nThe malware adds digital certificates from its data section to the target host and allows the operators to add\r\nadditional certificates remotely through a named pipe. The solution that Reductor’s developers found to mark TLS\r\ntraffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the\r\nFirefox source code and Chrome binary code to patch the corresponding pseudo random number generation\r\n(PRNG) functions in the process’s memory.\r\nBrowsers use PRNG to generate the ‘client random’ sequence for the network packet at the very beginning of the\r\nTLS handshake. Reductor adds encrypted unique hardware- and software-based identifiers for the victims to this\r\n‘client random’ field. In order to patch the system’s PRNG functions, the developers used a small embedded Intel\r\ninstruction length disassembler.\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 1 of 8\n\nIn order to patch browser PRNG memory functions and add unique user IDs into the TLS handshake, the\r\ndevelopers of Reductor had to analyze Firefox and Chrome code\r\nWhy we believe on-the-fly infection took place\r\nAs we don’t know what happens on the ‘server’ side, we can only rely on ‘client’ analysis. In order to distinguish\r\nhandshakes of interest from all the TLS traffic, the campaign operators firstly have to decrypt this ‘client hello’\r\nfield. This means the campaign operators somehow need to have access to the target’s traffic.\r\nThe Reductor malware does not carry out a man-in-the-middle (MitM) attack itself. However, our initial thought\r\nwas that the installed certificates may facilitate MitM attacks on TLS traffic; and the ‘client random’ field, with\r\nthe unique ID in the handshake, would identify the traffic of interest. Later analysis provided even more basis for\r\nthis idea.\r\nWe initially observed that infected installers were downloaded from HTTPS warez websites; but, as often\r\nhappens, the files themselves were downloaded through unencrypted HTTP. This makes it technically possible to\r\nreplace the files with malicious ones during the download process. Interestingly, the configuration data of some\r\nsamples contained very popular legitimate websites. We really don’t think they were compromised to serve as\r\ncontrol servers.\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 2 of 8\n\nIn any case, we didn´t initially know how the installers were infected, because the original downloaded files were\r\nno longer available for analysis on the warez websites. And there was always the possibility that the installers\r\nwere infected on the website from which they were originally downloaded.\r\nThen more recent Reductor telemetry gave us a clue. This time samples were again being downloaded from warez\r\nwebsites, but we were able to confirm that in this new case the original installers were not infected. This allowed\r\nus to confirm that Reductor’s operators have some control over the target’s network channel and could replace\r\nlegitimate installers with infected ones on the fly.\r\nReductor features\r\nThe malware authors are creative and sometimes even seem to be having a bit of fun. For instance, one of the web\r\ndomains they use for COMpfun (the publicly known name) is compfun[.]net. The domain-user-password triad\r\nhardcoded into the decryptor-dropper was “uac is useless”. Here’s a summary of the different types of campaign\r\nartifacts found:\r\nInitial infection\r\nEscalation, detection\r\navoidance\r\nMain payload\r\nMalware COMpfun Trojan Reductor dropper-decryptor Reductor Trojan\r\nProcess One of the browsers Same browser lsass.exe\r\nPersistence COM CLSID hijacking Auxiliary module, N/A LSA notification package\r\nNet\r\nencryption\r\nAES 128 Local module, N/A AES 128\r\nHost\r\nencryption\r\nConfiguration data\r\nencrypted with one byte\r\nXOR and compressed with\r\nLZNT1\r\nReductor in resources\r\nencrypted with one byte\r\nXOR and compressed with\r\nLZNT1\r\nVictims’ unique IDs in TLS\r\n‘client hello’ encrypted using\r\nXOR with changing round\r\nkey\r\nAs we have already mentioned, there are two different methods used by the attackers to spread Reductor. In the\r\nfirst scenario, the attackers use infected software installers with 32- and 64-bit versions of Reductor included.\r\nThese installers may be for popular Internet Download Manager, Office Activator, etc.\r\nIn the second scenario, the targets are already infected with the COMpfun Trojan, which uses COM CLSID for\r\npersistence. After getting into the browser’s address space, the Trojan can receive the command to download\r\nadditional modules from the C2. As a result, the target’s browser downloaded Reductor’s custom dropper-decryptor.\r\nThe coding style is quite distinctive throughout the modules. Take a look at them in the following table:\r\nFeature Description\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 3 of 8\n\nStrings storage\r\nAll the strings in use, such as function names for resolving dynamic addresses, are\r\nreturned by the small functions. The developers probably implemented them using the\r\nC preprocessor #define directive.\r\nFunction address\r\ndynamic resolution\r\nFor every dynamic linked library in use, the developers implemented a standalone\r\nfunction and a custom structure to store the addresses of its functions for further use.\r\nExtensive use of\r\ncustom structures\r\nThe developers used custom structures for every task: C2 communication, thread\r\nsynchronization, resolving of system function addresses, etc.\r\nSystem fingerprinting hashes inside TLS ‘client random’\r\nAs mentioned above, Reductor adds its own ‘victim id’ inside TLS packets. The first four-byte hash (cert_hash) is\r\nbuilt using all of Reductor’s digital certificates. For each of them, the hash’s initial value is the X509 version\r\nnumber. Then they are sequentially XORed with all four-byte values from the serial number. All the counted\r\nhashes are XOR-ed with each other to build the final one. The operators know this value for every victim, because\r\nit’s built using their digital certificates.\r\nThe second four-byte hash (hwid_hash) is based on the target’s hardware properties: SMBIOS date and version,\r\nVideo BIOS date and version and hard drive volume ID. The operators know this value for every victim because\r\nit’s used for the C2 communication protocol. The resulting custom 16-byte structure to spoof the originally\r\nPRNG-generated values looks like this:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nstruct client_hello_system_fingerprint {\r\nDWORD initial_xor_key; // First four bytes generated by original system PRNG function\r\nDWORD predefined_const; // Set to 0x45F2837D\r\nDWORD cert_hash; // Reductor's digital certificates hash\r\nDWORD hwid_hash // Target's hardware hash\r\n};\r\nThe latter three fields are encrypted using the first four bytes – initial PRN XOR key. At every round, the XOR\r\nkey changes with the MUL 0x48C27395 MOD 0x7FFFFFFF algorithm. As a result, the bytes remain pseudo\r\nrandom, but with the unique host ID encrypted inside.\r\nPRNG patching\r\nThe table below enumerates the patched auxiliary and PRNG system functions.\r\nLibrary Patched function Features\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 4 of 8\n\nAuxiliary functions\r\n“ntdll.dll” RtlReleaseResource()\r\nSave auxiliary data like current thread ID and current\r\ntick count;\r\nmemcpy()\r\nIf “client hello” has to be copied, then count cert_hash\r\nand hwid_hash, change source bytes to encrypted\r\nclient_hello_system_fingerprint structure and call\r\noriginal memcpy();\r\nOne of the C\r\nruntime libraries\r\ntime64()\r\nSave time passed since 1 January 1970;\r\n“kernel32.dll” or\r\n“kernelbase.dll”\r\nGetSystemTimeAsFileTime()\r\nPRNG functions\r\n“nss3.dll” PK11_GenerateRandom()\r\nCall original PRNG function and generate initial XOR\r\nkey from its result. Change PRNG result: set seventh\r\nbyte to 1, then save 0x45F2837D, hwid and cert hashes.\r\nEncrypt the result and return it instead of the original\r\nPRN. It will affect calls to ssl3_SendClientHello() -\u003e\r\nssl3_GetNewRandom(ss-\u003essl3.hs.client_random);\r\n“advapi32.dll” CryptGenRandom() Spoof these system PRNG function results in similar\r\nway with some minor changes; “bcrypt.dll” BCryptGenRandom()\r\n“chrome.dll” PRNG function\r\nFind PRNG function by its binary code template and\r\npatch it like all the aforementioned.\r\nFirefox nss3.dll PK11_GenerateRandom() patching\r\nReductor patches nss3.dll for Firefox. This library’s source code is publicly available. PK11_GenerateRandom() is\r\nused in the /security/nss/lib/ssl/ssl3con.c in the ssl3_GetNewRandom() function. The\r\nSSL3_RANDOM_LENGTH constant is 32 bytes, so Reductor’s code changes all the results and the functions,\r\nwhich call to ssl3_GetNewRandom() will receive the modified random data with the encrypted target\r\nfingerprinting inside.\r\nIn this case, the caller function to ssl3_GetNewRandom(ss-\u003essl3.hs.client_random) is ssl3_SendClientHello() in\r\norder to generate the client random data for the initial communication handshake.\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 5 of 8\n\nTo affect the TLS handshake malware authors patched PK11_GenerateRandom() inside the Firefox process\r\nmemory\r\nPatching PK11_GenerateRandom() would also affect the generation of any 256-bit (32 bytes) initialization vector\r\n(IV) generation, for example, for AES 256 in ssl_SelfEncryptProtect() or other crypto functions in NSS libraries\r\nused by Firefox. From our point of view, this would be a side effect of Reductor with no additional purpose.\r\nInstalled digital certificates\r\nReductor samples hold DER-encoded root X509v3 certificates in the .data section to add on the target hosts. The\r\nmalware is also able to get additional certificates from the operators through a named pipe.\r\nCertificate SHA1 fingerprint CA for root cert Valid till (GMT)\r\n119B2BE9C17D8C7C5AB0FA1A17AAF69082BAB21D ie-paypal 2031.11.17 22:56:10\r\n546F7A565920AEB0021A1D05525FF0B3DF51D020 GeoTrust Rsa CA 2031.11.17 22:56:10\r\n959EB6C7F45B7C5C761D5B758E65D9EF7EA20CF3 GeoTrust Rsa CA 2031.11.17 22:56:10\r\n992BACE0BC815E43626D59D790CEF50907C6EA9B VeriSign, Inc. 2031.11.17 22:56:10\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 6 of 8\n\nOne of the decoded CA X509v3 certificates inside the Reductor malware\r\nC2 communication\r\nAll C2 communications are handled in a standalone malware thread. Reductor sends HTTP POST queries to the\r\n/query.php scripts on the C2s listed in its configuration. The POST query contains the target’s unique hardware ID\r\nencrypted with AES 128. The C2 returns one of the following encrypted commands.\r\nC2\r\ncommand\r\nFeatures\r\nhostinfo Get the host name\r\ngettimeout Get the timeout value from the corresponding registry value\r\noptions\r\nParse strings and set corresponding values in the system registries. So far only one option is\r\nsupported – timeout\r\ndomainlist Transmit the current C2 domains used by target\r\ndownfile Download the file of interest\r\nupfile Upload the file of interest\r\nexecfile Create the process that executes mentioned file\r\nnop Do nothing. Possibly used to check the connection with the host\r\nkill\r\nDelete installed digital certificates, files, cookies and system registry values including those\r\nrelated to COM CLSID or LSA notification package persistence\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 7 of 8\n\ndeletefile Delete file at a specified path\r\ncertlist Renew the digital certificates installed on target\r\nConclusions\r\nTurla has in the past shown many innovative ways to accomplish its goals, such as using hijacked satellite\r\ninfrastructure[2]. This time, if we’re right that Turla is the actor behind this new wave of attacks, then with\r\nReductor it has implemented a very interesting way to mark a host’s encrypted TLS traffic by patching the\r\nbrowser without parsing network packets. The victimology for this new campaign aligns with previous Turla\r\ninterests.\r\nWe didn’t observe any MitM functionality in the analyzed malware samples. However, Reductor is able to install\r\ndigital certificates and mark the targets’ TLS traffic. It uses infected installers for initial infection through HTTP\r\ndownloads from warez websites. The fact the original files on these sites are not infected also points to evidence\r\nof subsequent traffic manipulation.\r\nFile Hashes\r\n27CE434AD1E240075C48A51722F8E87F\r\n4E02B1B1D32E23975F496D1D1E0EB7A6\r\n518AB503808E747C5D0DDE6BFB54B95A\r\n7911F8D717DC9D7A78D99E687A12D7AD\r\n9C7E50E7CE36C1B7D8CA2AF2082F4CD5\r\nA0387665FE7E006B5233C66F6BD5BB9D\r\nF6CAA1BFCCA872F0CBE2E7346B006AB4\r\nDomains and IPs\r\nadstat.pw\r\nbill-tat.pw\r\nSource: https://securelist.com/compfun-successor-reductor/93633/\r\nhttps://securelist.com/compfun-successor-reductor/93633/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/compfun-successor-reductor/93633/" ], "report_names": [ "93633" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/522252d3cdad27809e833a007bc261605364d05b.pdf", "text": "https://archive.orkl.eu/522252d3cdad27809e833a007bc261605364d05b.txt", "img": "https://archive.orkl.eu/522252d3cdad27809e833a007bc261605364d05b.jpg" } }