Home / Blog / REGIN, a cyberespionage APT

REGIN, a cyberespionage APT

Posted on 11/28/2014, by INCIBE
REGIN, a cyberespionage APT

During the past few days, a new APT named Regin, reported by several antivirus companies has focused all the attention, as stated in our Cybersecurity Highlights page. This new family of malware -aimed at Windows systems and first discovered by Symantec- is estimated to be active since 2008 at least. Its main targets are information theft and easing other attacks. Currently, the source of the infection is unknown.

It is composed by several modules allowing actions such as: taking screen captures, stealing passwords, network traffic monitoring, ‘information gathering’ about processes and memory, recovering deleted files, etc. All the information it obtains is stored in Encrypted Virtual File Systems (EVFS).

Regin state diagram

- State diagram of Regin -

This process is divided in 6 stages:

  • Stage 0: Regin is downloaded and installed in the system, taking the shape of a driver. The infection vector is currently unknown.
  • Stage 1: Its function is to load and execute stage 2. This is the only stage in which we may find unencrypted files.
  • Stage 2: Composed by a driver responsable for extracting, installing and executing stage 3. For 64 bit systems, stage 2 jumps directly to stage 4.
  • Stage 3: It is responsable for loading and executing stage 4 (only for 32 bit systems). In addition, it offers a kernel level framework for subsequent stages. The options this framework offers are:
    • Listing the functionality set.
    • Compression/decompression functions.
    • Encrypt/decrypt functions.
    • Functions for working with the Encrypted Virtual File System employed in stage 4.
    • Network functionality.
  • Stage 4: It is composed by two EVFS containers, one of which stores different drivers forming the kernel of Regin, and another one offering a user version of the framework of stage 3.
  • Stage 5: This stage is also loaded from an EVFS containing Regin payloads. These payloads differ depending on the victim’s system, and are customized according to it. Some of the functions it includes are:
    • Capturing low-level network traffic.
    • Obtaining information about the machine, processes, memory, etc.
    • Capturing passwords, screen, mouse clicks, etc.
    • Recovering deleted files.
    • Capturing GSM BSC traffic.
    • Etc.

Regin is oriented mainly to:

  • Communications operators
  • Government institutions
  • Political organizations
  • Financial institutions
  • Research centres
  • Advanced research projects in mathematics/cryptography

There are several public resources for detecting Regin infections:

It is also possible to apply the following Snort rules to detect and avoid communication with the C&C that have been identified:

  • alert IP $HOME_NET any <> [61.67.114.73, 202.71.144.113, 203.199.89.80, 194.183.237.145] any (msg: “REGIN C&C”;)
  • drop IP $HOME_NET any <> [61.67.114.73, 202.71.144.113, 203.199.89.80, 194.183.237.145] any