When Der Spiegel published documents about the NSA\u2019s cyber weapons, the authors also included a sample of malware dubbed QWERTY, which was a stealthy keylogger \u201cdesigned to invisibly record all key strokes from an infected Windows computer.\u201d The QWERTY (pdf) keylogger is a \u201cplugin for WARRIORPRIDE," which is "part of the Five Eyes malware framework;" QWERTY was "designed to intercept all keyboard keys pressed by the victim and record them for later inspection.\u201d The Der Spiegel article asked people to study the sample of QWERTY malware code and sharp minds got to work on analyzing it.Now Der Spiegel has reported that new analysis by Kaspersky Lab researchers found that QWERTY is the \u201ckeylogger-module from Regin.\u201d Kaspersky\u2019s analysis \u201cprovides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand.\u201dRegin researchIn case you don\u2019t know about Regin, in November, Symantec called the advanced malware a \u201ctop-tier espionage tool\u201d for secret surveillance. It was sophisticated like Stuxnet and Duqu; it was \u201chighly suited for persistent, long term surveillance operations against targets.\u201d Although the researchers had seen Regin used in less than 100 attacks (pdf), it provided \u201cits controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.\u201dF-Secure researchers said they believed Regin was \u201cin the same category of highly sophisticated espionage campaigns" like "Stuxnet, Flame, and Turla\/Snake,\u201d but that the malware didn\u2019t come out of Russia or China.Kaspersky Lab previously summed up Regin as \u201ca cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.\u201d They believe the malware has been around for about 10 years and 27 different victims had been targeted by Regin. They identified 14 countries that had been victims of the malware: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria.But now that Kaspersky Lab has analyzed the QWERTY malware published by Der Spiegel via Snowden, researchers Costin Raiu and Igor Soumenkov discovered that \u201cthe QWERTY malware is identical in functionality to the Regin 50251 plugin.\u201d They told Der Spiegel, \u201cWe are certain that we are looking at the keylogger-module from Regin.\u201dQWERTY as a plugin for ReginWhen analyzing the QWERTY module, Kaspersky researchers found three binaries. They called 20123.sys \u201cparticularly interesting\u201d because \u201cit was built from source code that can also be found one Regin module, the \u201850251\u2019 plugin.\u201d They added, \u201cOne particular part of code is used in both the QWERTY 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin.\u201d That serves as solid proof that the QWERTY plugin can only operate as part of the Regin platform.\u201dThe researchers concluded:The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225. Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS [Virtual File System], meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.We will surely hear more about Regin; just last week, Kaspersky published its analysis of Hopscotch and Legspin, two older \u201cstand alone tools\u201d developed even before Regin. While Hopscotch was primarily used for \u201clateral movement,\u201d they called Legspin a \u201cpowerful backdoor\u201d that dates back to 2002-2003.