REGIN MALWARE
The Regin malware campaign targeted international organizations from 2008 to 2011 and from 2013-2014. The malware may have remained undiscovered for at least five years prior to 2008. The complexity of the toolkit suggests the investment of significant resources over several years. In support of this assumption, Symantec notes that Regin malware appears to be designed for espionage campaigns that last several years.
The malware is allegedly the product of a collaboration between the United States NSA and the British GCHQ. This allegation derives from a document leaked to Der Spiegel and the Intercept by Edward Snowden. The malware primarily targeted systems belonging to private individuals, small businesses, and telecommunications companies in Russia, Saudi Arabia, Mexico, Ireland, and to a lesser extent, India, Afghanistan, Iran, Belgium, Austria, and Pakistan.
Symantec notes that the framework has been used for mass surveillance against “government organizations, infrastructure operators, businesses, researchers, and private individuals. “ Nearly half of the attacks targeted private individuals. The quarter of the infections against telecommunication infrastructure was likely an attempt to gain access to the calls routed through the networks. Regin does not have a clear infection vector; though, Symantec suspects that some infections are the result of watering-hole attacks and zero-day exploits
Regin consists of a trojan and a backdoor that are widely customizable to fit the target. The platform excels at remaining undetected and obfuscating its indicators of compromise. Regin is a modular platform, reminiscent of Flame, Duqu, and Stuxnet. The Regin backdoor is a five stage modular component and each stage after the first is hidden and encrypted. After each successful installation of a stage, the next stage is decrypted and installed. Each piece provides as little information as possible about the total component. If any stage fails then the installation terminates. The flexibility of the Regin platform means that the actor can customize the payload to the target. Consequently, Regin has dozens of discovered payloads and likely has many more that remain known only to the actor. In general, the platform features several remote access trojans (RATs), and tools to capture screenshots, log keystrokes, monitor network traffic, steal credentials, recover deleted files, and hijack the point and click functions of the mouse. According to Symantec, advanced payloads also contained “Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base controllers.” The platform also features anti-forensic capabilities, a custom-built encrypted virtual file system (EVFS), and RC5 encryption. Communication with the C&C servers occurs over ICMP/ ping, embedded commands in HTTP cookies, and custom TCP and UDP protocols.
The Butterfly group exploits zero-day vulnerabilities from a water hole website. In February 2013 Twitter, Facebook, Apple, and Microsoft were attacked within a three-week period. The Butterfly group initiated their campaign with a Java zero-day exploit that was delivered from a popular iPhone mobile development website. For some of the attacks, F- Secure believes that the payload delivered after the breach may have been a Mac OS X backdoor, dubbed OSX Pintsized. Attacks against Windows systems likely featured the Jripbot backdoor. Symantec believes that the group may also exploit Internet Explorer 10 or an Internet Explorer plugin. At least one recent attack suggests that the group might also conduct SQL injection attacks.
After a network is compromised, the group carefully adapts to the environment and utilizes remote access tools and management systems to laterally move across the network. The adversaries have used native Citrix systems and the TeamViewer applications to move across some networks. The attackers are able to rapidly assess whether a system is valuable or whether they should move to a new system on the network. The Butterfly group uses a unique set of tools, which seem to have been developed by or developed for the attackers. Symantec could not find any open source data on the tools. The tools all contain use documentation. One tool, bj.dat, (called “Banner Jack.” ) is used to locate vulnerable network servers, printers, routers, HTTP servers, or TCP servers. Banner Jack retrieves default messages from Telnet, HTTP, and TCP servers. Banner Jack accepts an input IP range and port and then it connects each IP address to a port. Then it retrieves and logs any data printed by the server. The Proxy.A tool creates a proxy connection so that the actor can route traffic through a proxy node to a destination node. The Eventlog tool parses event logs, dumps interesting logs and deletes incriminating logs. The tool can also end processes and delete itself. The Multipurpose tool edits event logs, dumps passwords, securely deletes files, encrypts files, enumerates the network, and assists the attacker in moving across the network.
The Butterfly group exhibits intense operational security. Many of their tools self-delete, and others are securely deleted by a GNU Shred tool used by the attackers. Event logs are modified or deleted to hide the intrusion. Uninteresting computers are fully purged of all traces of the attacker’s presence. C&C domains are registered with disposable names and emails. Hosts of C&C servers are paid using the Bitcoin anonymous digital currency. Symantec observed that the group “uses encrypted virtual machines and multi-staged C&C servers” to make it more difficult to investigate their middle infrastructure. Symantec managed to track activity through proxies to a C&C server that was digitally sterilized. No activity was logged and the system featured Truecrypt and a Virtual Box virtual machine. Compromised systems were likely attacked from within the virtual machine; consequently, analysis is difficult when the image is not live.