Regin
For the past two years, guys at Kasperksy lab been tracking most elusive malware across the world called "Regin". From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context. It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:
Individuals involved in advanced mathematical/cryptographical research So far, Two main objectives were observed from the attackers:
While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, there were cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks.
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. Samples from the Quisquater case confirmed that they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.
The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, tools and modules designed for lateral movement. So far, no exploits were encountered . The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.
In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.
The platform is extremely modular in nature and has multiple stages.
The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. There are many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.
The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.
The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:
%SYSTEMROOT%\system32\nsreg1.dat
%SYSTEMROOT%\system32\bssec3.dat
%SYSTEMROOT%\system32\msrdc64.dat
Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.
Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.
The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.
For the past two years, guys at Kasperksy lab been tracking most elusive malware across the world called "Regin". From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context. It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
Individuals involved in advanced mathematical/cryptographical research So far, Two main objectives were observed from the attackers:
- Intelligence gathering
- Facilitating other types of attacks
While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, there were cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks.
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. Samples from the Quisquater case confirmed that they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.
The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, tools and modules designed for lateral movement. So far, no exploits were encountered . The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.
In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.
The platform is extremely modular in nature and has multiple stages.
The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. There are many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.
The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.
The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:
%SYSTEMROOT%\system32\nsreg1.dat
%SYSTEMROOT%\system32\bssec3.dat
%SYSTEMROOT%\system32\msrdc64.dat
Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.
Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.
The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.
Comments
Post a Comment