REGIN : Stealthy Malware

8/10/2019 REGIN : Stealthy Malware

1/35

Groundbreaking Malware

By :Anupam Tiwari,CEH,CCCSP,PGDIS,GFSU Certified, B.Tech, M.Tech


2/35


3/35

Till NOW

Reveals.

Ahead


4/35


5/35


6/35


7/35


8/35


9/35

IS

ALL ABOUT ?


10/35

Sophisticated Malware.

Revealed by Kaspersky Laband Symantec inNovember 2014

That targets specific users ofMicrosoft Windows-based computers


11/35

Kaspersky Lab says it first became aware of

in spring 2012, but that some of the earliest samples date

from 2003


12/35

and has been used in spying operations against government

organizations, infrastructure operators, businesses, researchers,

and private individuals.

A back door-type Trojan, Regin is a complex piece of

malwarewhose structure displays a degree of technical

competence rarely seen.

Customizablewith an extensive range of

capabilitiesdepending on the target

it provides its controllers with a powerful framework for

mass surveillance


13/35

Telecom Operators

Government Institutions Multinational political bodies Financial institutions

Research

Institutions

Individuals involved in advancedmathematical/cryptographic research


14/35

Intelligence Gathering

Main Objectives

Facilitating other types

of Attacks


15/35

Initial Compromise & Lateral

Movement

The replication modules are copied to remote

computers using Windows administrative shares

and then executed.

The exact method used for the initial compromise remains a

mystery, although several theories exist, including use of

man-in-the-middle attacks with browser zero-day exploits.

Requires

administrative

privilegesinside the

victims network


16/35

The R INPlatform

Although till date REGIN is being referred toas the REGINmalware

..it is not entirely accurate to use the term

malware

REGINis more of a Cyber Attack platform,which the attackers deploy in victim networks for

total remote control at all levels


17/35REGIN P l a t f o r m D i a g r a m

The R INStages


18/35

The R INStages


19/35

Researchers at Symantec suspect that the TROJANis aGovernment-created Surveillance Tool, since it likely took

"months, if not years" to create

The R INStages

REGIN is encrypted in multiple stages, making ithard to know what's happening unless captured inevery stage

..it even has tools to fight forensics, and it can

use alternative encryption in a pinch.


20/35

The R INStages


21/35

Symantec Security Response has not obtained the Regin

dropper at the time of writing. Once the dropper isexecuted on the targets computer, it will install and

execute Stage 1.

The R INStages

Its likely that Stage 0 is responsible forsetting up various extended attributes

and/or registry keys and values that hold

encoded versions of stages 2, 3, and

potentially stages 4 and onwards.


22/35

The R INStages

Stage 1 is the initial load point for the threat. T

Stage 1 simply reads and executes Stage 2 from

a set of NTFS extended attributes. If no extended

attributes are found, Stage 2 is executed from aset of registry keys.


23/35

The R INStages

Stage 2 is a kernel driver that simply extracts, installs and

runs Stage 3. Stage 2 is not stored in the traditional file

system, but is encrypted within an extended attribute or a

registry key blob.


24/35

The R INStages

Stage 3 is a kernel mode DLL and is not

stored in the traditional file system.

Instead, this file is encrypted within anextended attributeor registry key blob


25/35

The R INStages

The files for Stage 4, which are loaded by Stage 3,

consist of a user-mode orchestrator and multiple

kernel payload modules.


26/35

The R INStages

Stage 5 consists of the main REGINpayloadfunctionality. The files for Stage 5 are injected into

services.exe by Stage 4


27/35

One VFS encrypted entry located had

internal id 50049.2, and appears to be

an ACTIVITY LOG on a GSM Base

Station Controller.

R INGSM Targeting

The most interesting aspect found so far regarding

REGINrelates to an infection of a large GSMoperator.


28/35

R INPayloads


29/35

Heres a look at the decoded

REGINGSM activity log:

R INGSM Targeting

The log seems to contain not only the executed commands but also

usernames and passwords of some engineering accounts:

sed[snip]:Alla[snip] hed[snip]:Bag[snip] oss:New[snip]

administrator:Adm[snip]


30/35

R INCommunication & C&CThe C&C mechanism implemented in

REGINis

extremely sophisticated and relies on communication

dronesdeployed by the attackers throughout the victim

networks.

Most victims communicate withanother machine in their own

internal network through various

protocolsas specified in the

config file.


31/35

After decoding all the configurations collected, the following externalC&Cs were identified :

R INCommunication & C&C


32/35

R INCommunication & C&CAll the victims

identifiedcommunicate

with each other,

forming a peer-

to-peer network.

The P2P network includes the presidents

office, a researchcenter, an educational

institution networkand a bank.

Spread across these victims are all interconnected with each other.

One of the victims contains a Translation

Drone, which has the ability to forward packetsoutside the country, to the C&C in India.

R IN


33/35

R INVictims

Global Distribution


34/35


35/35

Contact me :

[email protected]

http://about.me/anupam.tiwari

https://www.youtube.com/user/a

nupam50/videos

Documents

REGIN : Stealthy Malware