The Turla APT (Advanced Persistent Threat) is an ill-famed hacking group that originates from Russia. They also are known as Uroboros, Snake, Waterbug, and Venomous Bear. The Turla APT is very popular in the world of cybercrime and has carried out many devastating hacking campaigns over the years. Some malware researchers believe that the hacking group may be sponsored by the Kremlin, but this information is not yet confirmed. Most of their campaigns are concentrated in ex-Soviet states like Belarus and Ukraine, but they also have launched operations in Iran. One of the hacking tools in the rather large arsenal of the Turla APT is the Reductor RAT (Remote Access Trojan). It is believed that the Reductor RAT is an upgraded variant of the COMpfun threat. The COMpfun Trojan’s main purpose was to serve as a first-stage payload, while the Reductor RAT has been further weaponized and poses a much bigger threat to potential victims.
Monitors the TLS Traffic of the Victim
Researchers believe that the Reductor RAT is likely being propagated via file sharing websites. However, most of the related files have been wiped off these platforms, which means that studying this threat is rather difficult. Malware experts have managed to retrieve some data regarding the Reductor RAT from systems that this threat has compromised and thus managed to learn more about this Trojan. What they uncovered is that the Reductor RAT is able to replace browser installer executable with illegitimate copies and can compromise TLS traffic and redirect to compromised hosts. The attackers make sure that the user’s handle is personalized and traceable by adding unique hardware and software-based identifiers. Doing so allows them to monitor the network traffic of their targets even though the traffic is still encrypted and thus cannot be considered as a data leak.
If the victim attempts to download a file, the Reductor RAT is capable of replacing the desired file with a corrupted binary. Researchers have determined that the operators of the Reductor RAT are yet to exploit this function of their threat, but it is ready and set to go whenever it may be required.
Other Reductor RAT Capabilities
Some of the other capabilities of the Reductor RAT include:
- Collecting information about the software and hardware of the victim.
- Issuing remote commands.
- Listing and controlling the running processes.
- Having the ability to run uploaded and downloaded files.
- Capturing screenshots of the desktop and tabs.
The Turla APT is not one to be underestimated, and it is clear that the individuals involved with it are developing new tools constantly, as well as upgrading old ones.