Regin Espionage Malware: A Closer LookAPT Analysis Reveals Simple Components
Security researchers at anti-virus vendor Kaspersky Lab have released more information about two of the modules associated with the Regin malware, which many believe to be a surveillance tool designed to conduct espionage (see Regin Espionage Malware: 8 Key Issues).
See Also: Rethinking Endpoint Security
The identity of Regin's creators or users has yet to be proven. But whoever built the malware appears to have inadvertently left some clues. "With high-profile threats like Regin, mistakes are incredibly rare. However, when it comes to humans writing code, some mistakes are inevitable," Kaspersky Lab information security researchers Costin Raiu and Igor Soumenkov say in a blog post. "Among the most interesting things we observed in the Regin malware operation were the forgotten codenames for some of its modules."
But details on Regin attacks remain scarce. In a November 2014 report, Symantec said it had seen fewer than 100 related attacks to date, largely focused on Russia and Saudi Arabia. Kaspersky Lab, meanwhile, counted 27 victims - including some unnamed, large entities or networks - across 14 countries, including Afghanistan, Belgium, Germany, India, Pakistan, Russia and Syria.
Whoever built Regin also appears to have been engaged in related efforts for some time. While security researchers had previously traced back samples of the malware recovered in the wild to 2008, at least one of the related malware modules - which also works in stand-alone mode - appears to have been first compiled in 2003, according to Kaspersky
The codenames recovered by Kaspersky - which include "Hopscotch," "Legspin" and "Willischeck" - may offer clues about Regin's builders. Virus Bulletin editor and security researcher Martijn Grooten has noted via Twitter: "'Leg spin' is a cricket term. In case you want to speculate whether NSA or GCHQ is behind #Regin." Some U.K. commentators have also noted that Willis may well refer to a famous British cricket player - turned commentator - named Bob Willis.
Many security experts have suggested that the United States and the United Kingdom - which are part of the Five Eyes surveillance intelligence alliance - may have collaborated to build Regin. Multiple news reports have also tied the malware to the hack of Belgian telecommunications firm Belgacom, as well as the European Parliament, and some reports suggest those attacks were the work of the U.S. National Security Agency and the UK's GCHQ intelligence agency (see Espionage Malware Alert Sounded).
Information about Regin first became public when Symantec released its November 2014 report, which offered the first-ever detailed technical analysis of the malware. "Regin bears the hallmarks of a state-sponsored operation and is likely used as an espionage and surveillance tool by intelligence agencies," Symantec said.
Having three reports into an advanced espionage tool appear in such little time, for an APT campaign that appeared to have been operating for at least eight years, led some security experts to question the anti-virus vendors' timing (see AV Firms Defend Regin Alert Timing). But all three firms have defended the timing of the release of their reports, saying that it took substantial effort to identify and then analyze the APT. Researchers added that they didn't even begin paying close attention to Regin - which was designed to escape detection - until they recovered a more advanced version in 2013.
Security researchers named Regin for its ability to load attack modules in the registry of an infected PC. Various modules - most of which do not work as stand-alone tools - can be used to provide attackers with full, remote access to a system, as well as steal passwords and sniff network traffic, including for GSM network base stations, among other features. Symantec says that modular design recalls the Flame and Weevil targeted cyberespionage tools, while the "multi-stage loading architecture" resembles the Duqu and Stuxnet malware, which are designed to analyze or attack industrial control systems.
When analyzing the Hopscotch and Legspin modules, however, Kaspersky Lab found that both are somewhat basic tools, although this might also relate to their age. "Despite the overall sophistication - and sometimes even over-engineering - of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators," they say. "What makes them interesting is the fact [that] they were developed many years ago and could even have been created before the Regin platform itself."
The Hopscotch module recovered by Kaspersky Lab, for example, was compiled in 2006 and designed to work on its own. The module gives attackers the ability to move laterally - from system to system - inside a network that they have already penetrated. "It does not contain any exploits but instead relies on previously acquired credentials to authenticate itself at the remote machine, using standard APIs," Kaspersky Lab says. The module also offers two-way encrypted communications between an infected system and command-and-control servers.
The Legspin module, meanwhile, "was also developed as a stand-alone command line utility for computer administration," the researchers note. "When run remotely, it becomes a powerful backdoor" that allows an attacker to directly access the operating system and its features via the command line.
The version of the Legspin module recovered by Kaspersky appears to have been compiled in 2003, and uses some Windows functions that were introduced with Windows 2000, which were dropped in Windows Vista, which was offered at the end of 2006.