Researchers Detail Regin Attack Platform Modules

Researchers at Kaspersky Lab released details today of two modules used by the notorious Regin malware platform first exposed last year.

Publicly identified separately in November by security researchers at Kaspersky Lab and Symantec, Regin has been linked to cyber-espionage campaigns going back to at least 2008. In addition to stealing information from targets such as banks and government agencies, the malware was also used to target telecom operators and to penetrate and monitor GSM (Global System for Mobile Communications) networks.

According to Kaspersky Lab, two modules named ‘hopscotch’ and ‘legspin’ were designed as standalone tools that seem to predate the Regin platform by several years.

“Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” Kaspersky Lab researchers Costin Raiu and Igor Soumenkov explained in a joint blog post. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.”

For example, the Legspin module is believed to go back to 2003 and possibly 2002. The module was developed as a standalone command line utility for complete administration, the researchers wrote. When run remotely, it operates a backdoor and includes full console support. It also features colored output when run locally, and can distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.

“Once started and initialized, it provides the operator with an interactive command prompt, waiting for incoming commands,” the researchers explained. “The list of available commands is pretty large and allows the operators to perform many administrative actions. Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user.”

According to Kaspersky Lab, the Legspin module doesn’t have a built-in command and control mechanism, and instead uses the Regin platform to redirect the console input/output to/from the operators.

Meanwhile, the Hopscotch module was designed as an interactive tool for lateral movement. It does not contain any exploits; instead it relies on previously stolen credentials to authenticate itself at the remote machine using standard APIs, the researchers wrote.

“The module establishes a two-way encrypted communication channel with the remote payload SVCSTAT.EXE using two named pipes,” they continued. “One pipe is used to forward input from the operator to the payload and the other writes data from the payload to the standard output. Data is encrypted using the RC4 algorithm and the initial key exchange is protected using asymmetric encryption. Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation.”

“Although more details about Regin are becoming available, there is still a lot that remains unknown,” the researchers wrote. “One thing is already clear – what we know about Regin is probably already retired information that has been replaced by new modules and techniques as time passes.”