Embed Size (px)
DESCRIPTION
An advanced piece of malware, known as ‘Regin’, has been used in systematic spying campaigns against a range of international targets including government agencies and businesses since at least 2008 vide IT security firms Symantec and Kaspersky Lab reports both released on 24th Nov 2014.This ppt brings you an overview of the threat in brief.The piece of malware is unique in the sense that it's structure displays a degree of technical competence rarely seen.Stuxnet looks a decent past....with this complexity
Citation preview
Groundbreaking Malware
By : Anupam Tiwari,CEH,CCCSP,PGDIS,
GFSU Certified, B.Tech, M.Tech
Till NOW
Reveals….Ahead
IS
ALL ABOUT ?
Sophisticated Malware.
Revealed by Kaspersky Lab and Symantec in
November 2014
That targets specific users of
Microsoft Windows-based computers
Kaspersky Lab says it first became aware of
in spring 2012, but that some of the earliest samples date from 2003
and has been used in spying operations against governmentorganizations, infrastructure operators, businesses, researchers,and private individuals.
A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen.
Customizable with an extensive range of capabilities depending on the target
……it provides its controllers with a powerful framework for mass surveillance
Telecom Operators
Government Institutions Multinational political bodies Financial institutions
Research Institutions
Individuals involved in advancedmathematical/cryptographic research
Intelligence Gathering
Main Objectives
Facilitating other types of Attacks
Initial Compromise & Lateral Movement
The replication modules are copied to remote computers using Windows administrative shares
and then executed.
The exact method used for the initial compromise remains a mystery, although several theories exist, including use of man-in-the-middle attacks with browser zero-day exploits.
Requires administrative privileges inside the victim’s network
The REGIN Platform
Although till date REGIN is being referred to
as the REGIN malware……
…..it is not entirely accurate to use the term malware ……
REGIN is more of a Cyber Attack platform,
which the attackers deploy in victim networks for total remote control at all levels
REGIN P l a t f o r m D i a g r a m
The REGIN Stages
The REGIN Stages
Researchers at Symantec suspect that the TROJAN is a
Government-created Surveillance Tool, since it likely took "months, if not years" to create
The REGIN Stages
REGIN is encrypted in multiple stages, making it
hard to know what's happening unless captured in every stage
…..it even has tools to fight forensics, and it can use alternative encryption in a pinch.
The REGIN Stages
Symantec Security Response has not obtained the Regindropper at the time of writing. Once the dropper isexecuted on the target’s computer, it will install andexecute Stage 1.
The REGIN Stages
It’s likely that Stage 0 is responsible forsetting up various extended attributesand/or registry keys and values that holdencoded versions of stages 2, 3, andpotentially stages 4 and onwards.
The REGIN Stages
Stage 1 is the initial load point for the threat. T
Stage 1 simply reads and executes Stage 2 from a set of NTFS extended attributes. If no extended attributes are found, Stage 2 is executed from a set of registry keys.
The REGIN Stages
Stage 2 is a kernel driver that simply extracts, installs andruns Stage 3. Stage 2 is not stored in the traditional filesystem, but is encrypted within an extended attribute or aregistry key blob.
The REGIN Stages
Stage 3 is a kernel mode DLL and is not stored in the traditional file system. Instead, this file is encrypted within an extended attribute or registry key blob
The REGIN Stages
The files for Stage 4, which are loaded by Stage 3, consist of a user-mode orchestrator and multiple kernel payload modules.
The REGIN Stages
Stage 5 consists of the main REGIN payload
functionality. The files for Stage 5 are injected into services.exe by Stage 4
One VFS encrypted entry located had internal id 50049.2, and appears to be
an ACTIVITY LOG on a GSM Base
Station Controller.
REGIN GSM Targeting
The most interesting aspect found so far regarding
REGIN relates to an infection of a large GSM
operator.
REGIN Payloads
Here’s a look at the decoded REGIN GSM activity log:
REGIN GSM Targeting
The log seems to contain not only the executed commands but alsousernames and passwords of some engineering accounts:sed[snip]:Alla[snip] hed[snip]:Bag[snip] oss:New[snip]administrator:Adm[snip]
REGIN Communication & C&CThe C&C mechanism implemented in REGIN is
extremely sophisticated and relies on communicationdrones deployed by the attackers throughout the victimnetworks.
Most victims communicate with another machine in their own internal network through various protocols as specified in the config file.
After decoding all the configurations collected, the following external C&Cs were identified :
REGIN Communication & C&C
REGIN Communication & C&CAll the victims identified communicate with each other, forming a peer-to-peer network.
The P2P network includes the president’soffice, a research center, an educational institution network and a bank.
Spread across these victims are all interconnected with each other.
One of the victims contains a Translation Drone, which has the ability to forward packets
outside the country, to the C&C in India.
REGIN
REGIN Victims
Global Distribution
REGIN Victims
Global Distribution
