Researchers Link Regin to Malware Disclosed in Recent Snowden Documents

Kaspersky Lab has found shared code and functionality between the Regin malware platform and a keylogger described in recently disclosed Snowden documents.

Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.

The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.

“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report on the Securelist blog.

The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.

The new Snowden documents, disclosed by Laura Poitras and a collection of eight security and privacy technologists and experts, also include an overview of a malware platform called WARRIORPRIDE. Within WARRIORPRIDE is QWERTY, a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced.

The magazine released QWERTY to the public upon publication of its article. It describes QWERTY’s structure as “simple” and said there is a core driver called QWERTYKM that interacts with the Windows keyboard manager, and a QWERTYLP library which logs and stores keystrokes for analysis. Der Spiegel said after its examination of binary files, various components and libraries it’s likely there’s a connection between WARRIORPRIDE and the Australian Signals Directorate, an Aussie government intelligence agency.

Kaspersky researchers Raiu and Soumenkov said after analysis that the QWERTY malware is identical in functionality to a particular Regin plugin.

Raiu and Soumenkov said researchers took apart the QWERTY module and found three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251.

In a report published today, side-by-side comparisons of the respective source code shows they are close to identical, sharing large chunks of code. The researchers said that one piece of code in particular references plug-ins from the Regin platform and is used in QWERTY and its Regin counterpart. It addresses a Regin plug-in, called 50225, that is responsible for kernel-mode hooking, the Kaspersky researchers said.

“This is solid proof that the QWERTY plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225,” Raiu and Soumenkov wrote.

“As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules,” they also wrote. “They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.”

The Regin malware platform was disclosed in late November by Kaspersky Lab and it was quickly labeled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.

Last week, Kaspersky researchers published another Regin report, this one describing two standalone modules used for lateral movement and to establish a backdoor in order to move data off compromised machines. The modules, named Hopscotch and Legspin, have also likely been retired given they were developed perhaps more than a decade ago.

Suggested articles