Groundbreaking Malware

By : Anupam Tiwari,CEH,CCCSP,PGDIS,
GFSU Certified, B.Tech, M.Tech

Till NOW
Reveals.
Ahead

IS
ALL ABOUT ?

ophisticated

Malware.

Revealed by Kaspersky Lab and Symantec in

November 2014

That targets specific users of

Microsoft Windows-based computers

Kaspersky Lab says it first became aware of

in spring 2012, but that some of the earliest samples date

from 2003

A back door-type Trojan, Regin is a complex piece of

malware whose structure displays a degree of technical
competence rarely seen.
Customizable with an extensive range of
capabilities depending on the target

it provides its controllers with a powerful framework for

mass surveillance

and has been used in spying operations against government

organizations, infrastructure operators, businesses, researchers,
and private individuals.

Telecom Operators

Research
Institutions

Individuals
involved
in
advanced
mathematical/cryptographic research

Government Institutions

Multinational political bodies

Financial institutions

Main Objectives
Intelligence Gathering

Facilitating other types

of Attacks

Initial Compromise & Lateral

Movement
The exact method used for the initial compromise remains a
mystery, although several theories exist, including use of
man-in-the-middle attacks with browser zero-day exploits.
The replication modules are copied to remote
computers using Windows administrative shares
and then executed.
Requires
administrative
privileges inside the
victims network

The

REGIN Platform
Although till date REGIN is being referred to

as the REGIN malware

..it is not entirely accurate to use the term
malware

REGIN is more of a Cyber Attack platform,

which the attackers deploy in victim networks for
total remote control at all levels

The

REGIN Stages

REGIN

Platform Diagram

The

REGIN Stages

The

REGIN Stages

REGIN is encrypted in multiple stages, making it

hard to know what's happening unless captured in
every stage
..it even has tools to fight forensics, and it can
use alternative encryption in a pinch.

Researchers at ymantec suspect that the TROJAN is a

Government-created Surveillance Tool, since it likely took
"months, if not years" to create

The

REGIN Stages

The

REGIN Stages

Symantec Security Response has not obtained the Regin

dropper at the time of writing. Once the dropper is
executed on the targets computer, it will install and
execute Stage 1.
Its likely that Stage 0 is responsible for
setting up various extended attributes
and/or registry keys and values that hold
encoded versions of stages 2, 3, and
potentially stages 4 and onwards.

The

REGIN Stages

Stage 1 is the initial load point for the threat. T

Stage 1 simply reads and executes Stage 2 from

a set of NTFS extended attributes. If no extended
attributes are found, Stage 2 is executed from a
set of registry keys.

The

REGIN Stages

Stage 2 is a kernel driver that simply extracts, installs and

runs Stage 3. Stage 2 is not stored in the traditional file
system, but is encrypted within an extended attribute or a
registry key blob.

The

REGIN Stages

Stage 3 is a kernel mode DLL and is not

stored in the traditional file system.
Instead, this file is encrypted within an
extended attribute or registry key blob

The

REGIN Stages

The files for Stage 4, which are loaded by Stage 3,

consist of a user-mode orchestrator and multiple
kernel payload modules.

The

REGIN Stages

REGIN

Stage 5 consists of the main

payload
functionality. The files for Stage 5 are injected into
services.exe by Stage 4

REGIN GSM Targeting

The most interesting aspect found so far regarding

REGIN relates to an infection of a large GSM

operator.

One VFS encrypted entry located had

internal id 50049.2, and appears to be
an ACTIVITY LOG on a GSM Base
Station Controller.

REGIN Payloads

REGIN GSM Targeting

Heres a look at the decoded

REGIN GSM activity log:

The log seems to contain not only the executed commands but also
usernames and passwords of some engineering accounts:
sed[snip]:Alla[snip]
hed[snip]:Bag[snip]
oss:New[snip]
administrator:Adm[snip]

REGIN Communication & C&C

The C&C mechanism implemented in REGIN is
extremely sophisticated and relies on communication
drones deployed by the attackers throughout the victim
networks.

Most victims communicate with

another machine in their own
internal network through various
protocols as specified in the
config file.

REGIN Communication & C&C

After decoding all the configurations collected, the following external
C&Cs were identified :

REGIN Communication & C&C

REGIN

All the victims

identified
communicate
with each other,
forming a peerto-peer network.

The P2P network includes the presidents

office, a research center, an educational
institution network and a bank.
Spread across these victims are all interconnected with each other.
One of the victims contains a Translation

Drone, which has the ability to forward packets

outside the country, to the C&C in India.

REGIN Victims

Global Distribution

REGIN Victims

Global Distribution

Contact me :

anupam605@gmail.com
http://about.me/anupam.tiwari
https://www.youtube.com/user/a
nupam50/videos