I don’t commonly reblog or post others post inward here. But this is something EVERYONE should live aware of.
An advanced slice of malware, known equally Regin Malware, has been used inward systematic spying campaigns against a attain of international targets since at to the lowest degree 2008. H5N1 dorsum door-type Trojan, Regin Malware is a complex slice of malware whose construction displays a grade of technical competence rarely seen. Customizable with an extensive attain of capabilities depending on the target, it provides its controllers with a powerful framework for volume surveillance too has been used inward spying operations against authorities organizations, infrastructure operators, businesses, researchers, too private individuals.
It is probable that its evolution took months, if non years, to consummate too its authors direct maintain gone to dandy lengths to encompass its tracks. Its capabilities too the bird of resources behind Regin Malware signal that it is ane of the primary cyberespionage tools used past times a acre state.
It’s unknown precisely when the commencement samples of Regin Malware were created. Some of them direct maintain timestamps dating dorsum to 2003.
The victims of Regin Malware autumn into the next categories:
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
- Individuals involved inward advanced mathematical/cryptographical research
So far, we’ve observed 2 primary objectives from the attackers:
- Intelligence gathering
- Facilitating other types of attacks
While inward most cases, the attackers were focused on extracting sensitive information, such equally e-mails too documents, nosotros direct maintain observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More almost this inward the GSM Targeting section below.
Perhaps ane of the most publicly known victims of Regin Malware is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In Feb 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater representative too confirm they belong to the Regin Malware platform.
Another interesting victim of Regin Malware is a reckoner nosotros are calling “The Magnet of Threats“. This reckoner belongs to a question establishment too has been attacked past times Turla, Mask/Careto, Regin Malware, Itaduke, Animal Farm too some other advanced threats that practice non direct maintain a populace name, all co-existing happily on the same reckoner at some point.
Initial compromise too lateral movement
The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, nosotros observed tools too modules designed for lateral movement. So far, nosotros direct maintain non encountered whatever exploits. The replication modules are copied to remote computers past times using Windows administrative shares too thus executed. Obviously, this technique requires administrative privileges within the victim’s network. In several cases, the infected machines were also Windows domain controllers. Targeting of scheme administrators via web-based exploits is ane unproblematic way of achieving immediate administrative access to the entire network.
The Regin Malware platform
In short, Regin Malware is a cyber-attack platform which the attackers deploy inward the victim networks for ultimate remote command at all possible levels.
The platform is extremely modular inward nature too has multiple stages.
The instant phase has multiple purposes too tin take the Regin Malware infection from the scheme if instructed thus past times the 3rd stage.
The instant phase also creates a marking file that tin live used to position the infected machine. Known filenames for this marking are:
- %SYSTEMROOT%\system32\nsreg1.dat
- %SYSTEMROOT%\system32\bssec3.dat
- %SYSTEMROOT%\system32\msrdc64.dat
Stage 3 exists exclusively on 32 fleck systems – on 64 fleck systems, phase 2 loads the dispatcher directly, skipping the 3rd stage.
Stage 4, the dispatcher, is mayhap the most complex unmarried module of the entire platform. The dispatcher is the user-mode marrow of the framework. It is loaded straight equally the 3rd phase of the 64-bit bootstrap procedure or extracted too loaded from the VFS equally module 50221 as the 4th phase on 32-bit systems.
The dispatcher takes tending of the most complicated tasks of the Regin Malware platform, such equally providing an API to access virtual file systems, basic communications too storage functions equally good equally network carry sub-routines. In essence, the dispatcher is the encephalon that runs the entire platform.
A thorough description of all malware stages tin live flora inward our total technical paper.
As outlined inward a novel technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat too each phase is hidden too encrypted, with the exception of the commencement stage. Executing the commencement phase starts a domino chain of decryption too loading of each subsequent phase for a total of 5 stages. Each private phase provides piffling information on the consummate package. Only past times acquiring all 5 stages is it possible to analyze too empathize the threat.
Figure: Regin Malware’s 5 stages
Regin Malware also uses a modular approach, allowing it to charge custom features tailored to the target. This modular approach has been seen inward other sophisticated malware families such equally Flamer too Weevil (The Mask), patch the multi-stage loading architecture is similar to that seen inward the Duqu/Stuxnet household unit of measurement of threats.
Virtual File Systems (32/64-bit)
The most interesting code from the Regin Malware platform is stored inward encrypted file storages, known equally Virtual File Systems (VFSes).
During our analysis nosotros were able to obtain 24 VFSes, from multiple victims or thus the world. Generally, these direct maintain random names too tin live located inward several places inward the infected system. For a total list, including format of the Regin Malware VFSes, reckon our technical paper.
Unusual modules too artifacts
With high-end APT groups such equally the ane behind Regin, mistakes are really rare. Nevertheless, they practice happen. Some of the VFSes nosotros analyzed incorporate words which look to live the respective codenames of the modules deployed on the victim:
- legspinv2.6 too LEGSPINv2.6
- WILLISCHECKv2.0
- HOPSCOTCH
Another module nosotros found, which is a plugin type 55001.0 references some other codename, which is U_STARBUCKS:
GSM Targeting
The most interesting human face nosotros flora thus far almost Regin Malware is related to an infection of a large GSM operator. One VFS encrypted entry nosotros located had internal id 50049.2 too appears to live an activity log on a GSM Base Station Controller.
From https://en.wikipedia.org/wiki/Base_station_subsystem
According to the GSM documentation (http://www.telecomabc.com/b/bsc.html): “The Base Station Controller (BSC) is inward command of too supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the allotment of radio resources to a mobile telephone phone too for the handovers that are made betwixt base of operations stations nether his control. Other handovers are nether command of the MSC.”
Here’s a await at the decoded Regin Malware GSM activity log:
This log is almost 70KB inward size too contains hundreds of entries similar the ones above. It also includes timestamps which signal precisely when the command was executed.
The entries inward the log look to incorporate Ericsson OSS MML (Man-Machine Language equally defined past times ITU-T) commands.
Here’s a listing of some commands issued on the Base Station Controller, together with some of their timestamps:
1 2 3 4 5 6 7 8 9 10 11 12 13 | 2008–04–25 11:12:14: rxmop:moty=rxotrx; 2008–04–25 11:58:16: rxmsp:moty=rxotrx; 2008–04–25 14:37:05: rlcrp:cell=all; 2008–04–26 04:48:54: rxble:mo=rxocf–170,subord; 2008–04–26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a; 2008–04–26 10:06:03: IOSTP; 2008–04–27 03:31:57: rlstc:cell=pty013c,state=active; 2008–04–27 06:07:43: allip:acl=a2; 2008–04–28 06:27:55: dtstp:DIP=264rbl2; 2008–05–02 01:46:02: rlstp:cell=all,state=halted; 2008–05–08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active; 2008–05–08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x; 2008–05–12 17:28:29: rrtpp:trapool=all; |
Descriptions for the commands:
- rxmop – banking concern fit software version type;
- rxmsp – listing electrical flow telephone phone forwarding settings of the Mobile Station;
- rlcrp – listing off telephone phone forwarding settings for the Base Station Controller;
- rxble – enable (unblock) telephone phone forwarding;
- rxtcp – demo the Transceiver Group of exceptional cell;
- allip – demo external alarm;
- dtstp – demo DIgital Path (DIP) settings (DIP is the call of the business office used for supervision of the connected PCM (Pulse Code Modulation) lines);
- rlstc – activate cell(s) inward the GSM network;
- rlstp – halt cell(s) inward the GSM network;
- rlmfc – add together frequencies to the active broadcast command channel allotment list;
- rlnri – add together jail cellular telephone neightbour;
- rrtpp – demo radio transmission transcoder puddle details;
The log seems to incorporate non exclusively the executed commands but also usernames too passwords of some applied scientific discipline accounts:
sed[snip]:Alla[snip]
hed[snip]:Bag[snip]
oss:New[snip]
administrator:Adm[snip]
nss1:Eric[snip]
In total, the log indicates that commands were executed on 136 unlike cells. Some of the jail cellular telephone names include “prn021a, gzn010a, wdk004, kbl027a, etc…“. The command log nosotros obtained covers a catamenia of almost ane month, from Apr 25, 2008 through May 27, 2008. It is unknown why the commands stopped inward May 2008 though; mayhap the infection was removed or the attackers achieved their objective too moved on. Another explanation is that the attackers improved or changed the malware to halt saving logs locally too that’s why exclusively some older logs were discovered.
Communication too C&C
The C&C machinery implemented inward Regin Malware is extremely sophisticated too relies on communication drones deployed past times the attackers throughout the victim networks. Most victims communicate with some other machine inward their ain internal network, through various protocols, equally specified inward the config file. These include HTTP too Windows network pipes. The purpose of such a complex infrastructure is to attain 2 goals: give attackers access deep into the network, potentially bypassing air gaps too trammel equally much equally possible the traffic to the C&C.
Here’s a await at the decoded configurations:
1 2 3 4 5 | 17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443 17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443 50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080 51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322 18.159.0.1 transport 50271 DC ; transport 50271 DC |
In the higher upwards table, nosotros reckon configurations extracted from several victims that twosome together infected machines inward what appears to live virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the “external” C&C server at 203.199.89.80.
The numbers correct after the “transport” signal the plugin that handles the communication. These are inward our case:
- 27 – ICMP network listener using raw sockets
- 50035 – Winsock-based network transport
- 50037 – Network carry over HTTP
- 50051 – Network carry over HTTPS
- 50271 – Network carry over SMB (named pipes)
The machines located on the edge of the network human activity equally routers, effectively connecting victims from within the network with C&Cs on the internet.
After decoding all the configurations we’ve collected, nosotros were able to position the next external C&Cs.
| C&C server IP | Location | Description |
| 61.67.114.73 | Taiwan, Province Of China Taichung | Chwbn |
| 202.71.144.113 | India, Chetput | Chennai Network Operations (team-m.co) |
| 203.199.89.80 | India, Thane | Internet Service Provider |
| 194.183.237.145 | Belgium, Brussels | Perceval S.a. |
One exceptional representative includes a solid reason inward the Middle East. This representative was mind-blowing thus nosotros idea it’s of import to introduce it. In this specific country, all the victims nosotros identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president’s office, a research center, educational establishment network too a bank.
These victims spread across the solid reason are all interconnected to each other. One of the victims contains a translation drone which has the powerfulness to forrad the packets exterior of the country, to the C&C inward India.
This represents a rather interesting command-and-control mechanism, which is guaranteed to heighten really piffling suspicions. For instance, if all commands to the president’s business office are sent through the bank’s network, thus all the malicious traffic visible for the president’s business office sysadmins volition live exclusively with the bank, inward the same country.
Victim Statistics
Over the past times 2 years, nosotros collected statistics almost the attacks too victims of Regin Malware. These were aided past times the fact that fifty-fifty after the malware is uninstalled, sure enough artifacts are left behind which tin assist position an infected (but cleaned) system. For instance, we’ve seen several cases where the systems were cleaned but the “msrdc64.dat” infection marking was left behind.
So far, victims of Regin Malware were identified inward 14 countries:
- Algeria
- Afghanistan
- Belgium
- Brazil
- Fiji
- Germany
- Iran
- India
- Indonesia
- Kiribati
- Malaysia
- Pakistan
- Russia
- Syria
In total, nosotros counted 27 unlike victims, although it should live pointed out that the Definition of a victim hither refers to a total entity, including their entire network. The number of unique PCs infected with Regin Malware is of course of study much, much higher.
From the map above, Fiji and Kiribati are unusual, because nosotros rarely reckon such advanced malware inward such remote, minor countries. In particular, the victim inward Republic of Kiribati is most unusual. To position this into context, Republic of Kiribati is a minor isle inward the Pacific, with a population or thus 100,000.
Attribution
Considering the complexity too terms of Regin Malware development, it is probable that this performance is supported past times a nation-state. While attribution remains a really hard employment when it comes to professional person attackers such equally those behind Regin Malware, sure enough metadata extracted from the samples mightiness however live relevant.
As this information could live easily altered past times the developers, it’s upwards to the reader to effort to interpret this: equally an intentional fake flag or a non-critical indicator left past times the developers.
Timeline too target profile
Regin Malware infections direct maintain been observed inward a diversity of organizations betwixt 2008 too 2011, after which it was abruptly withdrawn. H5N1 novel version of the malware resurfaced from 2013 onwards. Targets include private companies, authorities entities too question institutes. Almost one-half of all infections targeted private individuals too minor businesses. Attacks on telecoms companies look to live designed to gain access to calls existence routed through their infrastructure.
Figure: Confirmed Regin infections past times sector
Infections are also geographically diverse, having been identified inward mainly inward 10 unlike countries.
Figure: Confirmed Regin Infections past times country
Infection vector too payloads
The infection vector varies with targets too no reproducible vector had been flora at the fourth dimension of writing. Symantec believes that some targets may live tricked into visiting spoofed versions of well-known websites too the threat may live installed through a Web browser or past times exploiting an application. On ane computer, log files showed that Regin Malware originated from Yahoo! Instant Messenger through an unconfirmed exploit.
Regin Malware uses a modular approach, giving flexibility to the threat operators equally they tin charge custom features tailored to private targets when required. Some custom payloads are really advanced too exhibit a high grade of expertise inward specialist sectors, farther evidence of the bird of resources available to Regin’s authors.
There are dozens of Regin Malware payloads. The threat’s measure capabilities include several Remote Access Trojan (RAT) features, such equally capturing screenshots, taking command of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, too recovering deleted files.
More specific too advanced payload modules were also discovered, such equally a Microsoft IIS spider web server traffic monitor too a traffic sniffer of the management of mobile telephone base of operations station controllers.
Stealth
Regin Malware’s developers position considerable effort into making it highly inconspicuous. Its depression fundamental nature way it tin potentially live used inward espionage campaigns lasting several years. Even when its presence is detected, it is really hard to ascertain what it is doing. Symantec was exclusively able to analyze the payloads after it decrypted sample files.
It has several “stealth” features. These include anti-forensics capabilities, a custom-built encrypted virtual file scheme (EVFS), too option encryption inward the cast of a variant of RC5, which isn’t commonly used. Regin Malware uses multiple sophisticated way to covertly communicate with the assailant including via ICMP/ping, embedding commands inward HTTP cookies, too custom TCP too UDP protocols.
Conclusions
Regin Malware is a highly-complex threat which has been used inward systematic information collection or tidings gathering campaigns. The evolution too performance of this malware would direct maintain required a pregnant investment of fourth dimension too resources, indicating that a acre province is responsible. Its pattern makes it highly suited for persistent, long term surveillance operations against targets.
The regain of Regin Malware highlights how pregnant investments proceed to live made into the evolution of tools for utilisation inward tidings gathering. Symantec believes that many components of Regin rest undiscovered too additional functionality too versions may exist. Additional analysis continues too Symantec volition post whatever updates on hereafter discoveries
For to a greater extent than than a decade, a sophisticated grouping known equally Regin Malware has targeted high-profile entities or thus the globe with an advanced malware platform. As far equally nosotros tin tell, the performance is however active, although the malware may direct maintain been upgraded to to a greater extent than sophisticated versions. The most recent sample we’ve seen was from a 64-bit infection. This infection was however active inward the limit of 2014.
The call Regin Malware is manifestly a reversed “In Reg”, brusque for “In Registry”, equally the malware tin shop its modules inward the registry. This call too detections commencement appeared inward anti-malware products or thus March 2011.
From some points of view, the platform reminds us of some other sophisticated malware: Turla. Some similarities include the utilisation of virtual file systems too the deployment of communication drones to twosome networks together. Yet through their implementation, coding methods, plugins, hiding techniques too flexibility, Regin Malware surpasses Turla equally ane of the most sophisticated assault platforms nosotros direct maintain always analysed.
The powerfulness of this grouping to penetrate too monitor GSM networks is mayhap the most odd too interesting human face of these operations. In today’s world, nosotros direct maintain travel also theme on mobile telephone networks which rely on ancient communication protocols with piffling or no safety available for the destination user. Although all GSM networks direct maintain mechanisms embedded which allow entities such equally constabulary enforcement to rails suspects, at that topographic point are other parties which tin gain this powerfulness too farther abuse them to launch other types of attacks against mobile users.
Further reading
- Indicators of compromise for safety administrators too to a greater extent than detailed too technical information tin live flora inward our technical newspaper – Regin: Top-tier espionage tool enables stealthy surveillance
- Full technical newspaper with IOCs.
- Kaspersky products observe modules from the Regin platform as: Trojan.Win32.Regin.gen too Rootkit.Win32.Regin.
Source
- Symantec Official Blog: Regin: Top-tier espionage tool enables stealthy surveillance
- SecureList/Kaspersky Lab: Regin: Nation-state ownage of GSM networks
Protection information
- Symantec too Norton products observe this threat equally Backdoor.Regin.
- More information almost Regin is available to Kaspersky Intelligent Services’ clients. Contact: intelreports@kaspersky.com
Disclaimer:
Date: 20141125:15:05hrs.
This post was taken from Symantec Official Blog too SecureList post equally mentioned inward the sources list. If you lot suspect you lot mightiness live a victim, you lot should contact them straight with equally much technical details equally possible.
