Hackers tend to stay away from websites that use HTTPS. These websites help secure web traffic and prevent cybercriminals from interfering with data that are transmitted between the encrypted site and the browser.
Malware Compromises Encrypted Communications
A group of hackers, however, is apparently not deterred by these supposed security measures. In a blog post published on Oct. 3, cybersecurity firm Kaspersky reported that in April 2019, it discovered a new malware that compromises encrypted communications.
It identified the Russian hacking group Turla as the actor behind these attempts, which involve modifying browsers such as Chrome and Firefox to fingerprint TLS-encrypted web traffic
The hackers reportedly first infect systems using a remote access trojan to modify locally installed browsers. They start with installing their own certificates to intercept TLS traffic from the host and then patch the pseudo-random number generation that negotiates the TLS connections.
The modification essentially allows the hackers to "fingerprint" their victims regardless of use of the HTTPS, which then allows them to passively track encrypted web traffic.
"Analysis of the malware allowed us to confirm that the operators have some control over the target's network channel and could replace legitimate installers with infected ones on the fly. That places the actor in a very exclusive club, with capabilities that few other actors in the world have," Kaspersky revealed in a blog post.
Malware Could Be Snooping On Political Targets And Dissidents
It also appears that the hackers did not make the modifications to break the encryption on the websites. Security experts think they were done to serve surveillance purposes.
The intended targets of the malware are located in Russia and Belarus, where it could be spying on political targets and dissidents. The hacking group Turla is believed to be working under the protection of the Russian government.