HOME

TheInfoList



Click Here for Items Related To - Regin (malware)
OR:
Regin (malware) on:   [Wikipedia]   [Google]   [Amazon]

Regin (also known as Prax or QWERTY) is a sophisticated
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab,
Symantec Symantec may refer to: *An American consumer software company now known as Gen Digital Inc. *A brand of enterprise security software purchased by Broadcom Inc. Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...
, and The Intercept in November 2014. The malware targets specific users of
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. ''The Intercept'' provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. (The name Regin is first found on the VirusTotal website on 9 March 2011.) Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.
Kaspersky Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
has said the malware's main victims are private individuals, small businesses and telecom companies. Regin has been compared to Stuxnet and is thought to have been developed by "well-resourced teams of developers", possibly a Western government, as a targeted multi-purpose data collection tool. According to '' Die Welt'', security experts at Microsoft gave it the name "Regin" in 2011, after the cunning Norse dwarf Regin.


Operation

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-term mass surveillance operations against targets. Regin is stealthy and does not store multiple files on the infected system; instead it uses its own encrypted virtual file system (EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely used RC5 cipher. Regin communicates over the Internet using ICMP/ ping, commands embedded in HTTP cookies and custom
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
and UDP protocols with a
command and control server A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
which can control operations, upload additional payloads, etc.


Identification and naming

Symantec says that both it and Kaspersky identified the malware as ''Backdoor.Regin''. Most antivirus programs, including Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as malware. On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia; later two more variants, ''Regin.B'' and ''Regin.C'' were added. Microsoft appears to call the 64-bit variants of Regin ''Prax.A'' and ''Prax.B''. The Microsoft entries do not have any technical information. Both Kaspersky and Symantec have published white papers with information they learned about the malware.


Known attacks and originator of malware

German news magazine ''
Der Spiegel ''Der Spiegel'' (, lit. ''"The Mirror"'') is a German weekly news magazine published in Hamburg. With a weekly circulation of 695,100 copies, it was the largest such publication in Europe in 2011. It was founded in 1947 by John Seymour Chaloner ...
'' reported in June 2013 that the US intelligence National Security Agency (NSA) had conducted online surveillance on both European Union (EU) citizens and EU institutions. The information derives from secret documents obtained by former NSA worker
Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...
. Both ''Der Spiegel'' and '' The Intercept'' quote a secret 2010 NSA document stating that it made cyberattacks that year, without specifying the malware used, against the EU diplomatic representations in Washington, D.C. and its representations to the United Nations. Signs identifying the software used as Regin were found by investigators on infected machines. ''The Intercept'' reported that, in 2013, the UK's GCHQ attacked Belgacom, Belgium's largest telecommunications company. These attacks may have led to Regin coming to the attention of security companies. Based on analysis done by IT security firm Fox IT, ''Der Spiegel'' reported in November 2014, that Regin is a tool of the UK and USA intelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in the NSA ANT catalog under the names "Straitbizarre" and "Unitedrake". Fox IT did not name the customer, but ''Der Spiegel'' mentioned that among the customers of Fox IT is Belgacom and cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in the Belgacom network.Christian Stöcker, Marcel Rosenbach " Spionage-Software: Super-Trojaner Regin ist eine NSA-Geheimwaffe" Der Spiegel, November 25, 2014
/ref> In December 2014, German newspaper ''
Bild ''Bild'' (or ''Bild-Zeitung'', ; ) is a German tabloid newspaper published by Axel Springer SE. The paper is published from Monday to Saturday; on Sundays, its sister paper ''Bild am Sonntag'' ("''Bild on Sunday''") is published instead, which ...
'' reported that Regin was found on a USB flash drive used by a staff member of Chancellor Angela Merkel. Checks of all high-security laptops in the German Chancellery revealed no additional infections. Regin was used in October and November 2018 to hack the research and development unit of Yandex.


See also

* Advanced persistent threat * Cyberwarfare in the United States * NSA ANT catalog * Stuxnet *
WARRIOR PRIDE WARRIOR PRIDE is the GCHQ and NSA code name for a pair of spyware kits that can be installed on the iPhone and Android-based smartphones. Information about these kits was published by the press on 27 January 2014 from the documents leaked by Ed ...


References

{{reflist, 30em} Rootkits Computer access control Privilege escalation exploits Cryptographic attacks Exploit-based worms 2014 in computing Hacking in the 2010s Spyware used by governments Cybercrime in India