No ordinary mobile attack: The Regin menace

When you read about security attacks involving mobile network technology, typically they’re incidents that target mobile devices used by consumers.

All kinds of malware has been found over the years that targets iOS and Android. Isolate the malicious files, wait for antivirus software to acquire signatures a day or so after a zero-day is discovered, run it, reboot your device, you’re all set.

That’s not what Regin is, oh no. Regin is the story of a global cyberattack mechanism on a massive scale. Hold on to your seats, because I’m going to take you on a bumpy ride.

Something Smells Like Duqu

To the uninitiated, Duqu is a trojan that was binded to Microsoft Word files. It exploits a vulnerability that existed in Windows’ win32k.sys True Type Font parsing engine. Its obfuscated code is among the reasons why researchers at Kaspersky, F-Secure, and Symantec believe it may have been developed by the team behind the ever notorious Stuxnet worm. A chilling parallel is how Stuxnet’s kernel driver, mrxcls.sys, is so similar to Duqu’s kernel driver, jmient7.sys, that it triggered F-Secure’s signatures to identify Duqu as Stuxnet. It appeared to be developed with the aid of Visual Studio 2008’s C compiler.

Duqu is spyware that fingerprints for vulnerability and system configuration data to aid in attacking industrial SCADAs. Duqu wasn’t designed to have a destructive effect, it was just programmed to sit in the kernel and application layer in Windows machines and snoop.

Duqu was discovered in September 2011. Months later, sometime in spring 2012, Kaspersky Lab held a conference for security researchers to discuss Duqu. A researcher (who Kaspersky hasn’t identified) said that he noticed patterns in Duqu’s behavior that reminded him of something else. He mentioned a malware attack that he and his colleagues have been stumped by for years, Regin.

Regin’s Genesis and Platform

Malware researchers aren’t yet certain as to when Regin debuted. There are logs with timestamps dating back to 2003 which may have indicated it, that’s still being analyzed.

But according to Kaspersky, Regin is too complex to simply be labeled as malware. It’s more accurate to say that Regin involves malware. Regin is a highly sophisticated cyberattack platform.

So far, according to Symantec, Regin has been found to attack computers in the following countries, that I’ve listed in order of infection frequency: Russia, Saudi Arabia, Ireland, Mexico, India, Pakistan, Belgium, Austria, Afghanistan, and Iran. Inevitably, if it hasn’t already, Regin will attack other parts of the world very soon.

Typically, a Regin attack starts by targeting a Windows client or server. It executes in a sequence of five stages.

• Stage 1- The first stage is usually the only component that can be found on a victim’s Windows machine as malware. A number of Dynamic Link Libraries have been found as the first stage of Regin. For example, wshnetc.dll was found on a machine in Belgium, and wsharp.dll was found on a machine in Germany. The purpose of Regin’s stage one malware is to load the second stage.
• Stage 2- The second stage behaves differently, according to whether it has attacked a 32-bit Windows machine or a 64-bit Windows machine. In a 32-bit machine, it runs as a driver module, in kernel mode. Regin may be attacking your 32-bit Windows if you find %SYSTEMROOT%/system32/nsreg1.dat, bssec3.dat, or msrdc64.dat in your registry files. In a 64-bit machine, instead of writing the second stage where it may be more easily detected, such as in the registry, it’s written at the end of the last partition on the targeted HDD, usually an NTFS file system. Instead of kernel mode, it runs in user mode, likely because operating in the 64-bit Windows kernel makes its activity easier to detect. The 64-bit stage two loader is a portable DLL, which is rather sneaky. In both the 32- and 64-bit stage two loaders, it enters a system as encrypted code, and it’s decrypted by a hardcoded RC5 key.
• Stage 3- The third stage of a Regin attack occurs only in 32-bit Windows. It operates an encrypted virtual file system, and loads lots of plugins. The driver module for stage three is usually a system file named vmem.sys.
• Stage 4- In the fourth stage in both 32-bit and 64-bit attacks, a dispatcher module runs, disp.dll. The fourth stage is the most intensive and crucial component of Regin. It provides APIs that run the entire platform. It operates within a virtual file system, with everything encrypted. Kaspersky has identified 24 different stage four VFSes so far. They’re typically written and used in various locations, which can differ from one Regin infection to another.
• Stage 5- As long as the Regin attack isn’t stopped in stage four, stage five is when Regin actually spies on your systems. Keyloggers run, data is stolen, screenshots are taken, and traffic is intercepted.

Regin: The GSM Cyberespionage System

It appears that the intended targets of Regin are mainly GSM cellular networks, to spy on governments, scientific research institutions, corporations, and private individuals. The majority of the world’s cell networks use GSM. By entering Windows machines that are front-ends of GSM infrastructure, Regin has been able to incur immense cyberwarfare activity.

Kaspersky believes that Regin’s name comes from reversing “in reg,” as in, in the Windows registry. I really wish Windows wasn’t deployed as a GSM network front-end, or in any SCADA system. I would deploy GNU/Linux or BSD/Unix based operating systems instead. There’s a much greater diversity of Linux and Unix-based OSs than Windows, so targeting any particular vulnerability will only affect a percentage of operating systems of a certain platform, instead of most or all of them. Microsoft developers also integrate libraries way too much for my liking, *nix libraries tend to be much more isolated, affecting fewer applications and components.

As so many of the world’s cellular networks are GSM, mobile devices used by all kinds of individuals with access to highly classified data can be attacked. And as Regin operates in GSM infrastructure, it doesn’t matter if a target’s phone or tablet runs iOS, Android, Windows Phone, or BlackBerry.

The earliest attacks that we’re certain are Regin date back to 2008, even though suspected Regin attacks may be as old as 2003. Regin has evolved over the years, and keep in mind that it’s a complete cyberattack platform, not a single piece of malware. The most recent versions of Regin have been identified since 2013, the latest cycle.

Because of the sophistication of Regin, and how very expensive it probably is to develop and deploy, it’s probably the project of a nation’s military cyberwarfare division. My gut tells me it’s likely the Chinese government, although there’s no evidence of that yet. China and Russia are the usual international cyberwarfare suspects, and Russian networks have been attacked by Regin, with no evidence of Chinese networks having been attacked. If Regin’s source turns out not to be China, then Chinese GSM networks have been attacked and we don’t know it due to their possible secrecy.

If you operate a Windows GSM network front-end, Kaspersky and Symantec’s signatures can now identify many Regin backdoors for stage one.

But Regin components evolve so quickly, and so much of Regin’s malware is still unknown. So there are probably still many zero-day Regin attacks in the future. If your Windows machines don’t operate GSM networks, Regin may not be targeting them, as its payload seems to target GSM infrastructure for the most part. I predict that UMTS, CDMA and other non-GSM cellular networks may be targeted by new specific versions of Regin in the near future.

Crawley is a security researcher for the InfoSec Institute.