#reginmalware

The Regin malware campaign targeted international organizations from 2008 to 2011 and from 2013-2014. The malware may have remained undiscovered for at least five years prior to 2008. The complexity of the toolkit suggests the investment of significant resources over several years. In support of this assumption, Symantec notes that Regin malware appears to be designed for espionage campaigns that last several years. The malware is allegedly the product of a collaboration between the United States NSA and the British GCHQ. This allegation derives from a document leaked to Der Spiegel and the Intercept by Edward Snowden. The malware primarily targeted systems belonging to private individuals, small businesses, and telecommunications companies in Russia, Saudi Arabia, Mexico, Ireland, and to a lesser extent, India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Regin malware campaign targeted international organizations from 2008 to 2011 and from 2013-2014. The malware may have remained undiscovered for at least five years prior to 2008. The complexity of the toolkit suggests the investment of significant resources over several years. In support of this assumption, Symantec notes that Regin malware appears to be designed for espionage campaigns that last several years. The malware is allegedly the product of a collaboration between the United States NSA and the British GCHQ. This allegation derives from a document leaked to Der Spiegel and the Intercept by Edward Snowden. The malware primarily targeted systems belonging to private individuals, small businesses, and telecommunications companies in Russia, Saudi Arabia, Mexico, Ireland, and to a lesser extent, India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

Regin Malware (aka Prax or QWERTY) consists of a trojan and a backdoor that are widely customizable to fit the target. The platform excels at remaining undetected and obfuscating its indicators of compromise. Regin is a modular platform, reminiscent of Flame, Duqu, and Stuxnet. The Regin backdoor is a five stage modular component and each stage after the first is hidden and encrypted. After each successful installation of a stage, the next stage is decrypted and installed. Each piece provides as little information as possible about the total component. If any stage fails then the installation terminates. The flexibility of the Regin platform means that the actor can customize the payload to the target. Consequently, Regin has dozens of discovered payloads and likely has many more that remain known only to the actor. In general, the platform features several remote access trojans (RATs), and tools to capture screenshots, log keystrokes, monitor network traffic, steal credentials, recover deleted files, and hijack the point and click functions of the mouse. According to Symantec, advanced payloads also contained “Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base controllers.” The platform also features anti-forensic capabilities, a custom-built encrypted virtual file system (EVFS), and RC5 encryption. Communication with the C&C servers occurs over ICMP/ ping, embedded commands in HTTP cookies, and custom TCP and UDP protocols.