Regin is a full cyber espionage platform capable of complete remote control and monitoring on all
possible levels. Attribution is difficult in cases like this however
considering the complexity of development, G-Data suspects that this
operation is supported by a nation-state, but not originating from Russia and not from China.
Kaspersky Lab has done some research on the Regin as well;
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.G-Data has created a tool to detect the trojan;
Get the tool from G-DataWe identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:typedef struct _HEADER {During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
uint16_t SectorSize;
uint16_t MaxSectorCount;
uint16_t MaxFileCount;
uint8_t FileTagLength;
uint16_t crc32custom;
}