Researchers at Kaspersky Lab say they have uncovered connections between the Regin attack platform and a malware platform exposed in documents shared by Edward Snowden with the German news magazine Der Spiegel.
According to Kaspersky Lab researchers Costin Raiu and Igor Soumenkov, a copy of the malicious files published by Der Spiegel immediately reminded them of Regin. After examining the code closely, they concluded that the Qwerty keylogger described in the document is identical in functionality to the Regin 50251 plugin.
“The Qwerty module pack consists of three binaries and accompanying configuration files,” the researchers blogged. “One file from the package– 20123.sys – is particularly interesting. The “20123.sys” is a kernel mode part of the keylogger. As it turns out, it was built from source code that can also be found one Regin module, the “50251” plugin.”
Publicly identified separately in November by security researchers at Kaspersky Lab and Symantec, Regin has been linked to cyber-espionage campaigns going back to at least 2008.
The document published by Der Spiegel calls Qwerty a plugin for a platform codenamed “WARRIORPRIDE” and is designed to “intercept all keyboard keys pressed by the victim and record them for later inspection.”
“WARRIORPRIDE, as all the malware programs we discovered in Five Eyes’ arsenal, is very flexible and versatile,” according to a document leaked by Der Spiegel. “Among the many interception modules WARRIORPRIDE is provided with, the technical research team has obtained a copy of QWERTY – WARRIORPRIDE’s component designed to invisibly record all key strokes from an infected Windows computer – from the Snowden Archive.”
Five Eyes is the name given to the intelligence alliance comprised of the United States, Australia, Canada, New Zealand and the United Kingdom.
The Kaspersky Lab researchers noted that most of the Qwerty components call plugins from the same pack (with plugin numbers 20121 – 20123), but there is also one piece code that references plugins from the Regin platform. One particular part of code, they state, is used in both the Qwerty 20123 module and Regin’s 50251 plugin, and it addresses the plugin 50225 that can be found in the virtual file systems of Regin. The 50225 plugin is responsible for kernel-mode hooking.
“This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225,” the researchers noted. “As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.”
Last year, Britain’s GCHQ (Government Communications Headquarters) spy agency was linked by Snowden to a 2013 cyber-attack on Belgacom, the largest telecommunications provider in Belgium. The Regin malware platform is believed to have been used in the attack.
“Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform,” blogged Raiu and Soumenkov. “The QWERTY keylogger doesn’t function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225. Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.”