Friday, November 28, 2014

11/28/14: Wapack Labs Priority Intelligence Report: Regin

This is a slimmed down version of a couple of white papers, describing new espionage focused malware known as Regin.   There's been a ton of activity on this in the security circles, but not really in any form that could be read by folks without a security team who can digest and use the information.  And while we're not as interested in knowing who wrote it, we do want to make sure folks have tools to help identify and protect against it. 

Wapack Labs has not analyzed any malware, rather publishes this to ensure background is known and current mitigations are published in a simple form. Yara rules are shown at the end of this three page priority intelligence report.  And as always, sources are shown. Please feel free to download the full papers from Kaspersky and/or Symantec for deeper analysis. 

-Jeff 

-------------------------------------------------------------------------------------------------------------------------

Regin
Wapack Labs Priority Intelligence Report

Publication date: 28 November 2014; information cutoff date: 26 November 2014
Handling requirements: Traffic light protocol (TLP) WHITE.
TLP: WHITE information may be distributed without restriction, subject to copyright controls.

Background

A new dangerous piece of malware has emerged, and nearly all are talking about attribution, pointing to government-sponsored authorship from the UK and US. Wapack Labs has not evaluated linkages to any government, but thought it necessary to identify any mitigations that might be available for this new, highly complex piece of code. This report is a situation report, based on what we (Wapack Labs) currently know.  The lab has not yet obtained samples of the malware, thus, have not performed this analysis directly. This report is a compilation of what others have reported, and is only meant as a means of outlining the first steps in mitigation/defense.

Executive Summary

Regin is a multi-purpose family of malware that has been observed in the wild since at least 2008.  It is unknown exactly when the first samples appeared; however, compilation timestamps have been observed dating back to 2003.  Regin is extremely modular across its multistage infection process and has a wide range of standard capabilities.  The malware is capable of installing a large number of payloads, some of which are highly customized for the targeted system.

Details

Regin is reportedly a complex piece of software designed with espionage in mind.  Regin is said to steal passwords, monitor network traffic, and gather information on processes and memory utilization using a multi-phased approach and ‘modules’ of code that are dropped into a system independently of each other to avoid detection and defenses.  Regin modules have been observed parsing mail from Microsoft Exchange email databases, scanning for deleted files on an infected computer and retrieving them, and collecting administration traffic for telecommunications (cellular - GSM) base station controllers.

Regin employs several techniques to obfuscate exactly what information has been exfiltrated.  Targeting is reported to include telecom operators, government institutions, multinational political bodies, financial institutions, research institutions, and individuals involved in advanced mathematical and cryptographic research.  The level of customization found in Regin samples indicates a high level of specialist knowledge in the targeted sectors.  It is reported that actors utilizing the Regin malware have been focused to date on two main objectives - intelligence gathering and facilitating additional sophisticated attacks.

Reportings of Regin operations have been noted in Algeria, Afghanistan, Austria, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Ireland, Kiribati, Malaysia, Mexico, Pakistan, Russia, Saudi Arabia, and Syria.

Figure 1: Regin Geographic Distribution

Mitigations

For the defender, four command and control nodes have been identified.  Users are recommended to monitor in/outbound network activity for command and control on the following Internet Protocol (IP) addresses:

·       61.67.114.73      Taiwan, Taichung - Chwbn
·       202.71.144.113    India, Chetput - Chennai Network Operations
·       203.199.89.80     India, Thane - Internet Service Provider
·       194.183.237.145   Belgium, Brussels - Perceval S.a.

Several unique strings have been identified in Regin modules so far. While these strings may not be indicative of Regin activity, each should be monitored.  False positives, however, are highly likely.  Users without the capability to perform host based scanning may perform searches of their computers for the following terms.  If identified, without legitimate use, contact your security team, system administrator or Wapack Labs for assistance.

·       legspinv2.6
·       LEGSPINv2.6
·       WILLISCHECKv2.0
·       HOPSCOTCH
·       U_STARBUCKS
·       shit

The following Yara[1] rules have been provided by Kaspersky Labs, and have not been tested by Wapack Labs. 

rule apt_regin_vfs {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin VFSes"
strings:
$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
condition:
($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
}

rule apt_regin_dispatcher_disp_dll {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin disp.dll dispatcher"
strings:
$mz="MZ"
$string1="shit"
$string2="disp.dll"
$string3="255.255.255.255"
$string4="StackWalk64"
$string5="imagehlp.dll"
condition:
($mz at 0) and (all of ($string*))
}

rule apt_regin_2013_64bit_stage1 {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 64 bit stage 1 loaders"
filename="wshnetc.dll"
md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
filename="wsharp.dll"
md5="c053a0a3f1edcbbfc9b51bc640e808ce"
strings:
$mz="MZ"
$a1="PRIVHEAD"
$a2="\\\\.\\PhysicalDrive%d"
$a3="ZwDeviceIoControlFile"
condition:
($mz at 0) and (all of ($a*)) and filesize < 100000
}

rule apt_regin_2011_32bit_stage1 {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 32 bit stage 1 loaders"
strings:
$key1={331015EA261D38A7}
$key2={9145A98BA37617DE}
$key3={EF745F23AA67243D}
$mz="MZ"
condition:
($mz at 0) and any of ($key*) and filesize < 300000
}

rule apt_regin_rc5key {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin RC5 decryption keys"
strings:
$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
condition:
any of ($key*)
}

Open source white papers:

https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

About Wapack Labs

Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.




[1] YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. (http://plusvic.github.io/yara/)