No ordinary mobile attack: The Regin menace

The Regin Platform, courtesy of Kaspersky Lab

The Regin Platform, courtesy of Kaspersky Lab

When you read about security attacks involving mobile network technology, typically they're incidents that target mobile devices used by consumers.

All kinds of malware has been found over the years that targets iOS and Android. Isolate the malicious files, wait for antivirus software to acquire signatures a day or so after a zero-day is discovered, run it, reboot your device, you're all set.

That's not what Regin is, oh no. Regin is the story of a global cyberattack mechanism on a massive scale. Hold on to your seats, because I'm going to take you on a bumpy ride.

Something Smells Like Duqu

To the uninitiated, Duqu is a trojan that was binded to Microsoft Word files. It exploits a vulnerability that existed in Windows' win32k.sys True Type Font parsing engine. Its obfuscated code is among the reasons why researchers at Kaspersky, F-Secure, and Symantec believe it may have been developed by the team behind the ever notorious Stuxnet worm. A chilling parallel is how Stuxnet's kernel driver, mrxcls.sys, is so similar to Duqu's kernel driver, jmient7.sys, that it triggered F-Secure's signatures to identify Duqu as Stuxnet. It appeared to be developed with the aid of Visual Studio 2008's C compiler.

Duqu is spyware that fingerprints for vulnerability and system configuration data to aid in attacking industrial SCADAs. Duqu wasn't designed to have a destructive effect, it was just programmed to sit in the kernel and application layer in Windows machines and snoop.

Duqu was discovered in September 2011. Months later, sometime in spring 2012, Kaspersky Lab held a conference for security researchers to discuss Duqu. A researcher (who Kaspersky hasn't identified) said that he noticed patterns in Duqu's behavior that reminded him of something else. He mentioned a malware attack that he and his colleagues have been stumped by for years, Regin.

Regin's Genesis and Platform

Malware researchers aren't yet certain as to when Regin debuted. There are logs with timestamps dating back to 2003 which may have indicated it, that's still being analyzed.

But according to Kaspersky, Regin is too complex to simply be labeled as malware. It's more accurate to say that Regin involves malware. Regin is a highly sophisticated cyberattack platform.

So far, according to Symantec, Regin has been found to attack computers in the following countries, that I've listed in order of infection frequency: Russia, Saudi Arabia, Ireland, Mexico, India, Pakistan, Belgium, Austria, Afghanistan, and Iran. Inevitably, if it hasn't already, Regin will attack other parts of the world very soon.

Typically, a Regin attack starts by targeting a Windows client or server. It executes in a sequence of five stages.

  • Stage 1- The first stage is usually the only component that can be found on a victim's Windows machine as malware. A number of Dynamic Link Libraries have been found as the first stage of Regin. For example, wshnetc.dll was found on a machine in Belgium, and wsharp.dll was found on a machine in Germany. The purpose of Regin's stage one malware is to load the second stage.
  • Stage 2- The second stage behaves differently, according to whether it has attacked a 32-bit Windows machine or a 64-bit Windows machine. In a 32-bit machine, it runs as a driver module, in kernel mode. Regin may be attacking your 32-bit Windows if you find %SYSTEMROOT%/system32/nsreg1.dat, bssec3.dat, or msrdc64.dat in your registry files. In a 64-bit machine, instead of writing the second stage where it may be more easily detected, such as in the registry, it's written at the end of the last partition on the targeted HDD, usually an NTFS file system. Instead of kernel mode, it runs in user mode, likely because operating in the 64-bit Windows kernel makes its activity easier to detect. The 64-bit stage two loader is a portable DLL, which is rather sneaky. In both the 32- and 64-bit stage two loaders, it enters a system as encrypted code, and it's decrypted by a hardcoded RC5 key.
  • Stage 3- The third stage of a Regin attack occurs only in 32-bit Windows. It operates an encrypted virtual file system, and loads lots of plugins. The driver module for stage three is usually a system file named vmem.sys.
  • Stage 4- In the fourth stage in both 32-bit and 64-bit attacks, a dispatcher module runs, disp.dll. The fourth stage is the most intensive and crucial component of Regin. It provides APIs that run the entire platform. It operates within a virtual file system, with everything encrypted. Kaspersky has identified 24 different stage four VFSes so far. They're typically written and used in various locations, which can differ from one Regin infection to another.
  • Stage 5- As long as the Regin attack isn't stopped in stage four, stage five is when Regin actually spies on your systems. Keyloggers run, data is stolen, screenshots are taken, and traffic is intercepted.

Regin: The GSM Cyberespionage System

It appears that the intended targets of Regin are mainly GSM cellular networks, to spy on governments, scientific research institutions, corporations, and private individuals. The majority of the world's cell networks use GSM. By entering Windows machines that are front-ends of GSM infrastructure, Regin has been able to incur immense cyberwarfare activity.

Kaspersky believes that Regin's name comes from reversing "in reg," as in, in the Windows registry. I really wish Windows wasn't deployed as a GSM network front-end, or in any SCADA system. I would deploy GNU/Linux or BSD/Unix based operating systems instead. There's a much greater diversity of Linux and Unix-based OSs than Windows, so targeting any particular vulnerability will only affect a percentage of operating systems of a certain platform, instead of most or all of them. Microsoft developers also integrate libraries way too much for my liking, *nix libraries tend to be much more isolated, affecting fewer applications and components.

As so many of the world's cellular networks are GSM, mobile devices used by all kinds of individuals with access to highly classified data can be attacked. And as Regin operates in GSM infrastructure, it doesn't matter if a target's phone or tablet runs iOS, Android, Windows Phone, or BlackBerry.

[What's wrong with this picture? The NEW clean desk test]

The earliest attacks that we're certain are Regin date back to 2008, even though suspected Regin attacks may be as old as 2003. Regin has evolved over the years, and keep in mind that it's a complete cyberattack platform, not a single piece of malware. The most recent versions of Regin have been identified since 2013, the latest cycle.

Because of the sophistication of Regin, and how very expensive it probably is to develop and deploy, it's probably the project of a nation's military cyberwarfare division. My gut tells me it's likely the Chinese government, although there's no evidence of that yet. China and Russia are the usual international cyberwarfare suspects, and Russian networks have been attacked by Regin, with no evidence of Chinese networks having been attacked. If Regin's source turns out not to be China, then Chinese GSM networks have been attacked and we don't know it due to their possible secrecy.

If you operate a Windows GSM network front-end, Kaspersky and Symantec's signatures can now identify many Regin backdoors for stage one.

But Regin components evolve so quickly, and so much of Regin's malware is still unknown. So there are probably still many zero-day Regin attacks in the future. If your Windows machines don't operate GSM networks, Regin may not be targeting them, as its payload seems to target GSM infrastructure for the most part. I predict that UMTS, CDMA and other non-GSM cellular networks may be targeted by new specific versions of Regin in the near future.

Crawley is a security researcher for the InfoSec Institute.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecMicrosoftsecurityf-secure

More about BlackBerryF-SecureKasperskyLinuxMicrosoftSymantecUMTS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kim Crawley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts