The Regin Espionage Toolkit [REGIN MALWARE]

Journalists are calling it the worlds most advanced malware example. But before we jump to conclusions, let take a deeper look at some resources which have been provided to the public.

TITLE  The Regin Espionage Toolkit
DATE  Sunday, November 23, 2014
AUTHOR  F-Secure
PAYWALL  No
LINK  https://www.f-secure.com/weblog/archives/00002766.html
DOWNLOAD  
TAGS  regin

Infection vector and payloads
The infection vector varies among targets and no reproducible vector had been found at the time of writing. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.

Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.

ss_regin

There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.

More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.

Stealth
Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing. Symantec was only able to analyze the payloads after it decrypted sample files.

regin_ss

It has several “stealth” features. These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.

Regin malware sample

This were the results:

In the link above, you will see the download link which was provided by Omerta Information Security. The link will allow you to download the Regin Malware sample.

In the link above you will find the Virustotal scan report. We scanned the Regin.zip folder to see if the zipfile contained any malicious codes.

The virustotal report will show you the following family names:

  • W32/Trojan.UYIE-8376
  • W32/Regin.C
  • Trojan.Win32.Agent.hbdpc

The scan was performed on 2014-11-24 and the malware sample was only detected by 3/55 antivirus companies.

Pictures used from the Symantec report on Regin.