Regin – the ‘New Stuxnet’ state sponsored espionage toolMass EspionageRegin the equivalent of Stuxnet and DuquTechnical aspects‘Regin’ targeted GSM Networks
Mass Espionage
Symantec malware reversers found attackers have foisted Regin on targets using mixed attack vectors including one unconfirmed zero-day in Yahoo! Messenger. “Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen,” Symantec’s researchers wrote. The below chart depicts the targets of the spyware :
Researchers have refrained from naming any country as being behind this spyware. Although they did confirm that a majority of its targets resided in Russia and Saudi Arabia and were targeted between 2008 and 2011, with a since-decommissioned version of the malware that re-surfaced after 2013. “Its design makes it highly suited for persistent, long term surveillance operations against targets,” the researchers wrote.
Regin the equivalent of Stuxnet and Duqu
The highly-complex malware was comparable only to Stuxnet and Duqu, researchers said in the report Regin: Top-tier espionage tool and many of its elements were undiscovered. Reign has the capability to add to its spyware with remote access trojans to swipe keystrokes and screenshots, tools to nab information on processes and memory utilization, and others to recover deleted files. Specialist modules were found monitoring Microsoft Internet Information Services network traffic, parsing mail from Exchange databases, and collecting administration traffic for mobile base station controllers. Regin’s talented authors encrypted data blobs after the stage one vector. The stage zero dropper probably responsible for setting extended attributes and registry keys that held encoded data of subsequent stages was not found. There are also seperate version for 32 bit and 64bit machines.
Technical aspects
As already reported, it’s one of the more complex pieces of malware around, and just like many of the other toolkits it also has a long history behind it. We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe. The server had shown symptoms of trouble, as it had been occasionally crashing with the infamous Blue Screen of Death. A driver with an innocuous name of “pciclass.sys” seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin. Symantec researchers noticed the following registry keys being used for the next stage payload: The following folders containing an NTFS Extended Attribute with the name “_” have also been seen to store the next stage payload, which can actually be split between two different attributes: A final word by researchers is that, although it is next to impossible to determine for sure the origins of a malware in which the creators have put in so much effort to hide their tracks, a few believe that the source has a low possibility of being China or Russia and probably being from a more developed nation from western hemisphere.
‘Regin’ targeted GSM Networks
The layers of the Regin cyber-attack platform are just beginning to be pulled back. One of those layers gives attackers the means to penetrate and monitor GSM base station controllers. Kaspersky researchers have noticed that Regin had targeted GSM networks also. During its investigation, Kaspersky Lab examined the activity log of a GSM base station controller and discovered that attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator. Kaspersky researches state that this could mean the authors/creators of Regin had complete access to the GSM network and information about what calls are being processed by a particular cell, redirect those calls to other cells, activate neighbor cells and perform other offensive actions. According to Kaspersky Lab, no other attacks are known to have been capable of those types of operations. You can read the White Paper published by Kaspersky Lab here.