Details on Regin Malware Modules Disclosed

Researchers at Kaspersky Lab today released a detailed analysis of two modules belonging to the Regin malware platform, one for lateral movement, the other a backdoor.

The Regin malware platform used to steal secrets from government agencies, banks and GSM network operators caught the attention of security experts who called it one of the most advanced attack platforms that has been studied, surpassing Flame, Duqu, even Stuxnet.

Researchers at Kaspersky Lab said Regin could be tuned to attack large organizations or even individuals, pointing out that noted cryptographer Jean Jacques Quisquater was one of its first public victims.

Today, details about a pair of Regin modules were released by Kaspersky’s Global Research and Analysis Team, one module used for lateral movement, while the other establishes a backdoor in order to move data off compromised machines.

The researchers, Costin Raiu and Igor Soumenkov, concede that the modules, named Hopscotch and Legspin, have likely been put out of commission by those responsible for Regin and replaced by new modules. Attribution, meanwhile, remains another mystery to Regin, though some were quick to pin either the U.S. National Security Agency, or the U.K.’s GCHQ as the perpetrators.

Regin was revealed in November by Kaspersky Lab, which said it has been detected on Windows computers belonging to 27 organizations in 14 countries, most of those in Asia and the Middle East. The GSM (Global System for Mobile Communication) characteristic to Regin is a relatively unique feature to APT-style attacks, and particularly concerning given the lax security used in mobile communication protocols.

The attackers were able to steal credentials from an internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers. With this kind of access, the attackers knew information about calls processed by particular cells, and were able to redirect calls, activate other cells and steal data.

“At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations,” Raiu said at the time.

Today’s report provides an in depth analysis of two of four modules belonging to Regin (hashes, compile dates, file type and size are listed on the Securelist blog).

“Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” the researchers wrote. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.”

Hopscotch, for example, is a standalone tool used by the attackers for lateral movement. It relies on stolen credentials to authenticate itself on remote computers, and contains no exploits, Raiu and Soumenkov said.

“The module receives the name of the target machine and an optional remote file name from the standard input (operator),” Raiu and Soumenkov wrote. The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.”

The module creates a new service to launch a payload extracted from a remote server using a two-way encrypted channel, one that forwards input from the operator to the payload, the other writes data from payload to the standard output. The executable injects itself into a new process for persistence and the remote operator can interact with the module.

“Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation,” Raiu and Soumenkov wrote.

Legspin is another standalone module; this one is a command line utility for computer administration, and operates as a backdoor.

“It is worth noting that the program has full console support and features colored output when run locally,” Raiu and Soumenkov wrote. “It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.”

There are clues within the module that hint it was developed around 2002-2003; it also uses legacy API functions such as NetBIOS, which was deprecated from Windows with the launch of Vista. This module gives the remote attacker an interactive command prompt, and a long list of commands at their disposal, including the ability to retrieve and upload files, connect to a remote share, retrieve server configuration data, create processes, much more.

“It’s worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions,” the researchers wrote. “This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.”

Suggested articles