REGIN : Stealthy Malware
-
Upload
anupam-tiwari -
Category
Documents
-
view
220 -
download
0
Transcript of REGIN : Stealthy Malware
-
8/10/2019 REGIN : Stealthy Malware
1/35
Groundbreaking Malware
By :Anupam Tiwari,CEH,CCCSP,PGDIS,GFSU Certified, B.Tech, M.Tech
-
8/10/2019 REGIN : Stealthy Malware
2/35
-
8/10/2019 REGIN : Stealthy Malware
3/35
Till NOW
Reveals.
Ahead
-
8/10/2019 REGIN : Stealthy Malware
4/35
-
8/10/2019 REGIN : Stealthy Malware
5/35
-
8/10/2019 REGIN : Stealthy Malware
6/35
-
8/10/2019 REGIN : Stealthy Malware
7/35
-
8/10/2019 REGIN : Stealthy Malware
8/35
-
8/10/2019 REGIN : Stealthy Malware
9/35
IS
ALL ABOUT ?
-
8/10/2019 REGIN : Stealthy Malware
10/35
Sophisticated Malware.
Revealed by Kaspersky Laband Symantec inNovember 2014
That targets specific users ofMicrosoft Windows-based computers
-
8/10/2019 REGIN : Stealthy Malware
11/35
Kaspersky Lab says it first became aware of
in spring 2012, but that some of the earliest samples date
from 2003
-
8/10/2019 REGIN : Stealthy Malware
12/35
and has been used in spying operations against government
organizations, infrastructure operators, businesses, researchers,
and private individuals.
A back door-type Trojan, Regin is a complex piece of
malwarewhose structure displays a degree of technical
competence rarely seen.
Customizablewith an extensive range of
capabilitiesdepending on the target
it provides its controllers with a powerful framework for
mass surveillance
-
8/10/2019 REGIN : Stealthy Malware
13/35
Telecom Operators
Government Institutions Multinational political bodies Financial institutions
Research
Institutions
Individuals involved in advancedmathematical/cryptographic research
-
8/10/2019 REGIN : Stealthy Malware
14/35
Intelligence Gathering
Main Objectives
Facilitating other types
of Attacks
-
8/10/2019 REGIN : Stealthy Malware
15/35
Initial Compromise & Lateral
Movement
The replication modules are copied to remote
computers using Windows administrative shares
and then executed.
The exact method used for the initial compromise remains a
mystery, although several theories exist, including use of
man-in-the-middle attacks with browser zero-day exploits.
Requires
administrative
privilegesinside the
victims network
-
8/10/2019 REGIN : Stealthy Malware
16/35
The R INPlatform
Although till date REGIN is being referred toas the REGINmalware
..it is not entirely accurate to use the term
malware
REGINis more of a Cyber Attack platform,which the attackers deploy in victim networks for
total remote control at all levels
-
8/10/2019 REGIN : Stealthy Malware
17/35REGIN P l a t f o r m D i a g r a m
The R INStages
-
8/10/2019 REGIN : Stealthy Malware
18/35
The R INStages
-
8/10/2019 REGIN : Stealthy Malware
19/35
Researchers at Symantec suspect that the TROJANis aGovernment-created Surveillance Tool, since it likely took
"months, if not years" to create
The R INStages
REGIN is encrypted in multiple stages, making ithard to know what's happening unless captured inevery stage
..it even has tools to fight forensics, and it can
use alternative encryption in a pinch.
-
8/10/2019 REGIN : Stealthy Malware
20/35
The R INStages
-
8/10/2019 REGIN : Stealthy Malware
21/35
Symantec Security Response has not obtained the Regin
dropper at the time of writing. Once the dropper isexecuted on the targets computer, it will install and
execute Stage 1.
The R INStages
Its likely that Stage 0 is responsible forsetting up various extended attributes
and/or registry keys and values that hold
encoded versions of stages 2, 3, and
potentially stages 4 and onwards.
-
8/10/2019 REGIN : Stealthy Malware
22/35
The R INStages
Stage 1 is the initial load point for the threat. T
Stage 1 simply reads and executes Stage 2 from
a set of NTFS extended attributes. If no extended
attributes are found, Stage 2 is executed from aset of registry keys.
-
8/10/2019 REGIN : Stealthy Malware
23/35
The R INStages
Stage 2 is a kernel driver that simply extracts, installs and
runs Stage 3. Stage 2 is not stored in the traditional file
system, but is encrypted within an extended attribute or a
registry key blob.
-
8/10/2019 REGIN : Stealthy Malware
24/35
The R INStages
Stage 3 is a kernel mode DLL and is not
stored in the traditional file system.
Instead, this file is encrypted within anextended attributeor registry key blob
-
8/10/2019 REGIN : Stealthy Malware
25/35
The R INStages
The files for Stage 4, which are loaded by Stage 3,
consist of a user-mode orchestrator and multiple
kernel payload modules.
-
8/10/2019 REGIN : Stealthy Malware
26/35
The R INStages
Stage 5 consists of the main REGINpayloadfunctionality. The files for Stage 5 are injected into
services.exe by Stage 4
-
8/10/2019 REGIN : Stealthy Malware
27/35
One VFS encrypted entry located had
internal id 50049.2, and appears to be
an ACTIVITY LOG on a GSM Base
Station Controller.
R INGSM Targeting
The most interesting aspect found so far regarding
REGINrelates to an infection of a large GSMoperator.
-
8/10/2019 REGIN : Stealthy Malware
28/35
R INPayloads
-
8/10/2019 REGIN : Stealthy Malware
29/35
Heres a look at the decoded
REGINGSM activity log:
R INGSM Targeting
The log seems to contain not only the executed commands but also
usernames and passwords of some engineering accounts:
sed[snip]:Alla[snip] hed[snip]:Bag[snip] oss:New[snip]
administrator:Adm[snip]
-
8/10/2019 REGIN : Stealthy Malware
30/35
R INCommunication & C&CThe C&C mechanism implemented in
REGINis
extremely sophisticated and relies on communication
dronesdeployed by the attackers throughout the victim
networks.
Most victims communicate withanother machine in their own
internal network through various
protocolsas specified in the
config file.
-
8/10/2019 REGIN : Stealthy Malware
31/35
After decoding all the configurations collected, the following externalC&Cs were identified :
R INCommunication & C&C
-
8/10/2019 REGIN : Stealthy Malware
32/35
R INCommunication & C&CAll the victims
identifiedcommunicate
with each other,
forming a peer-
to-peer network.
The P2P network includes the presidents
office, a researchcenter, an educational
institution networkand a bank.
Spread across these victims are all interconnected with each other.
One of the victims contains a Translation
Drone, which has the ability to forward packetsoutside the country, to the C&C in India.
R IN
-
8/10/2019 REGIN : Stealthy Malware
33/35
R INVictims
Global Distribution
-
8/10/2019 REGIN : Stealthy Malware
34/35
-
8/10/2019 REGIN : Stealthy Malware
35/35
Contact me :
http://about.me/anupam.tiwari
https://www.youtube.com/user/a
nupam50/videos