Regin, an old but sophisticated cyber espionage toolkit platform
Malware can be named in one breath with Stuxnet & Co.
As G DATA experts worked on this rootkit for quite a while we also gathered some data. The first Regin version we identified was used in March 2009 and the compilation date is July 2008:
paul@gdata:~/regin$ ./pescanner.py b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Meta-data
================================================================================
File: b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047
Size: 12608 bytes
Type: PE32 executable (native) Intel 80386, for MS Windows
MD5: ffb0b9b5b610191051a7bdf0806e1e47
SHA1: 75a9af1e34dc0bb2f7fcde9d56b2503072ac35dd
ssdeep:
Date: 0x486CBA19 [Thu Jul 3 11:38:01 2008 UTC]
EP: 0x103d4 .text 0/4
Some sources go even back to 2003 but this in unclear at this moment however we can confirm that this campaign appeared at least early 2009.
An Open Source detection tool provided by G DATA
We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:
typedef struct _HEADER {
uint16_t SectorSize;
uint16_t MaxSectorCount;
uint16_t MaxFileCount;
uint8_t FileTagLength;
uint16_t crc32custom;
}
During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
Download the python script by going to the original G DATA article (link see below).
regin-detect.py SHA256: 98ac51088b7d8e3c3bb8fbca112290279a4d226b3609a583a735ecdbcd0d7045
regin-detect.py MD5: 743c7e4c6577df3d7e4391f1f5af4d65
And here is the output when a virtual file system is scanned:
paul@gdata:~regin$ ./tool.py security.evt
SectorSize: 1000
MaxSectorCount: 0500
MaxFileCount: 0500
FileTagLength: 10
CRC32custom: df979328
CRC of the file: df979328
Regin detected
Victims:
So far, victims of Regin were identified in 14 countries:
- Algeria
- Afghanistan
- Belgium
- Brazil
- Fiji
- Germany
- Iran
- India
- Indonesia
- Kiribati
- Malaysia
- Pakistan
- Russia
- Syria
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater, a well-known Belgian cryptographer. Kaspersky Lab stated this in their report which you can find at
securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/ .
Even more interesting is the fact that Regin seems to be the spyware behind the Belgacom case, a big Belgian Telecom provider hacked in 2013. Belgacom acknowledged the hack, but never provided details about the breach. Ronald Prins from Fox-IT, which helped with the forensics and investigation of the Belgacom case, confirmed on his Twitter page that Regin could possibly be the malware behind the Belgacom case.
The Intercept, a publication of First Look Media, not only connects Regin to Belgacom, but also names the European Union as potential victim in an article published on November 24th.
(more…)