Wednesday, December 03, 2014

G-Data Reins In Regin: Top-tier Espionage Tool.

Regin is a full cyber espionage platform capable of complete remote control and monitoring on all possible levels. Attribution is difficult in cases like this however considering the complexity of development, G-Data suspects that this operation is supported by a nation-state, but not originating from Russia and not from China.

Kaspersky Lab has done some research on the Regin as well;

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
G-Data has created a tool to detect the trojan;
We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:
typedef struct _HEADER {
  uint16_t SectorSize;
  uint16_t MaxSectorCount;
  uint16_t MaxFileCount;
  uint8_t FileTagLength;
  uint16_t crc32custom;
}
During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.
 Get the tool from G-Data

No comments: