regin
DESCRIPTION
An advanced piece of malware, known as ‘Regin’, has been used in systematic spying campaigns against a range of international targets including government agencies and businesses since at least 2008 vide IT security firms Symantec and Kaspersky Lab reports both released on 24th Nov 2014.This ppt brings you an overview of the threat in brief.The piece of malware is unique in the sense that it's structure displays a degree of technical competence rarely seen.Stuxnet looks a decent past....with this complexityTRANSCRIPT
![Page 1: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/1.jpg)
Groundbreaking Malware
By : Anupam Tiwari,CEH,CCCSP,PGDIS,
GFSU Certified, B.Tech, M.Tech
![Page 2: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/2.jpg)
![Page 3: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/3.jpg)
Till NOW
Reveals….Ahead
![Page 4: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/4.jpg)
![Page 5: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/5.jpg)
![Page 6: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/6.jpg)
![Page 7: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/7.jpg)
![Page 8: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/8.jpg)
![Page 9: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/9.jpg)
IS
ALL ABOUT ?
![Page 10: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/10.jpg)
Sophisticated Malware.
Revealed by Kaspersky Lab and Symantec in
November 2014
That targets specific users of
Microsoft Windows-based computers
![Page 11: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/11.jpg)
Kaspersky Lab says it first became aware of
in spring 2012, but that some of the earliest samples date from 2003
![Page 12: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/12.jpg)
and has been used in spying operations against governmentorganizations, infrastructure operators, businesses, researchers,and private individuals.
A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen.
Customizable with an extensive range of capabilities depending on the target
……it provides its controllers with a powerful framework for mass surveillance
![Page 13: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/13.jpg)
Telecom Operators
Government Institutions Multinational political bodies Financial institutions
Research Institutions
Individuals involved in advancedmathematical/cryptographic research
![Page 14: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/14.jpg)
Intelligence Gathering
Main Objectives
Facilitating other types of Attacks
![Page 15: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/15.jpg)
Initial Compromise & Lateral Movement
The replication modules are copied to remote computers using Windows administrative shares
and then executed.
The exact method used for the initial compromise remains a mystery, although several theories exist, including use of man-in-the-middle attacks with browser zero-day exploits.
Requires administrative privileges inside the victim’s network
![Page 16: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/16.jpg)
The REGIN Platform
Although till date REGIN is being referred to
as the REGIN malware……
…..it is not entirely accurate to use the term malware ……
REGIN is more of a Cyber Attack platform,
which the attackers deploy in victim networks for total remote control at all levels
![Page 17: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/17.jpg)
REGIN P l a t f o r m D i a g r a m
The REGIN Stages
![Page 18: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/18.jpg)
The REGIN Stages
![Page 19: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/19.jpg)
Researchers at Symantec suspect that the TROJAN is a
Government-created Surveillance Tool, since it likely took "months, if not years" to create
The REGIN Stages
REGIN is encrypted in multiple stages, making it
hard to know what's happening unless captured in every stage
…..it even has tools to fight forensics, and it can use alternative encryption in a pinch.
![Page 20: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/20.jpg)
The REGIN Stages
![Page 21: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/21.jpg)
Symantec Security Response has not obtained the Regindropper at the time of writing. Once the dropper isexecuted on the target’s computer, it will install andexecute Stage 1.
The REGIN Stages
It’s likely that Stage 0 is responsible forsetting up various extended attributesand/or registry keys and values that holdencoded versions of stages 2, 3, andpotentially stages 4 and onwards.
![Page 22: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/22.jpg)
The REGIN Stages
Stage 1 is the initial load point for the threat. T
Stage 1 simply reads and executes Stage 2 from a set of NTFS extended attributes. If no extended attributes are found, Stage 2 is executed from a set of registry keys.
![Page 23: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/23.jpg)
The REGIN Stages
Stage 2 is a kernel driver that simply extracts, installs andruns Stage 3. Stage 2 is not stored in the traditional filesystem, but is encrypted within an extended attribute or aregistry key blob.
![Page 24: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/24.jpg)
The REGIN Stages
Stage 3 is a kernel mode DLL and is not stored in the traditional file system. Instead, this file is encrypted within an extended attribute or registry key blob
![Page 25: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/25.jpg)
The REGIN Stages
The files for Stage 4, which are loaded by Stage 3, consist of a user-mode orchestrator and multiple kernel payload modules.
![Page 26: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/26.jpg)
The REGIN Stages
Stage 5 consists of the main REGIN payload
functionality. The files for Stage 5 are injected into services.exe by Stage 4
![Page 27: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/27.jpg)
One VFS encrypted entry located had internal id 50049.2, and appears to be
an ACTIVITY LOG on a GSM Base
Station Controller.
REGIN GSM Targeting
The most interesting aspect found so far regarding
REGIN relates to an infection of a large GSM
operator.
![Page 28: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/28.jpg)
REGIN Payloads
![Page 29: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/29.jpg)
Here’s a look at the decoded REGIN GSM activity log:
REGIN GSM Targeting
The log seems to contain not only the executed commands but alsousernames and passwords of some engineering accounts:sed[snip]:Alla[snip] hed[snip]:Bag[snip] oss:New[snip]administrator:Adm[snip]
![Page 30: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/30.jpg)
REGIN Communication & C&CThe C&C mechanism implemented in REGIN is
extremely sophisticated and relies on communicationdrones deployed by the attackers throughout the victimnetworks.
Most victims communicate with another machine in their own internal network through various protocols as specified in the config file.
![Page 31: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/31.jpg)
After decoding all the configurations collected, the following external C&Cs were identified :
REGIN Communication & C&C
![Page 32: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/32.jpg)
REGIN Communication & C&CAll the victims identified communicate with each other, forming a peer-to-peer network.
The P2P network includes the president’soffice, a research center, an educational institution network and a bank.
Spread across these victims are all interconnected with each other.
One of the victims contains a Translation Drone, which has the ability to forward packets
outside the country, to the C&C in India.
REGIN
![Page 33: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/33.jpg)
REGIN Victims
Global Distribution
![Page 34: Regin](https://reader034.vdocuments.mx/reader034/viewer/2022052311/559cd5e61a28aba65f8b45b5/html5/thumbnails/34.jpg)
REGIN Victims
Global Distribution