German intelligence agencies have discovered new traces of the Regin virus
Irish news source reported that the German intelligence services began investigating new cases of compromised computers and communications tools of the office of Angela Merkel. We are talking about new cases of infection with the well-known Regin virus, which became known a year ago and which is considered the most dangerous state-sponsored malware to date. Regin is a sophisticated software platform for organizing cyber espionage and data collection.
After the publication of the NSA secret data by a runaway agent Edward Snowden, the details of the various spyware software tools of this special service, as well as the British intelligence GCHQ, became known. One such malware called QWERTY has a program code identical to Regin. This fact, along with others, confirmed the confidence of the researchers that the NSA / GCHQ could stand behind Regin.
Unlike other state-sponsored malware programs that focus on data collection and operate fairly simple in the OS, Regin uses special mechanisms for its integration into the system. The malware uses its implementation of an encrypted file system to store its data. Regin modules are present in 32-bit and 64-bit variants. Data theft is carried out using drivers that Regin installs into the system. The malware has the ability to compromise GSM-networks.
')
The first reports that Merkel’s office computers and her own were infected with Regin appeared last year. Also, Regin has been the victim of users in many countries, including Russia, Saudi Arabia, Mexico, Ireland, India and other countries. The largest number of virus infections accounted for private and telecommunications companies.
Fig. Regin Platform Architecture (Symantec data) .
To install implants (Regin modules) into the system, an approach based on loaders of several levels is used, on each of which a code is decrypted for the next one. The malicious program specializes in stealing screenshots, keystrokes, network traffic, web browser passwords, account data, virtual memory data of necessary processes, electronic messages, etc.
ESET AV products detect Regin modules as Win32 / Regin and Win64 / Regin.
After the publication of the NSA secret data by a runaway agent Edward Snowden, the details of the various spyware software tools of this special service, as well as the British intelligence GCHQ, became known. One such malware called QWERTY has a program code identical to Regin. This fact, along with others, confirmed the confidence of the researchers that the NSA / GCHQ could stand behind Regin.
Unlike other state-sponsored malware programs that focus on data collection and operate fairly simple in the OS, Regin uses special mechanisms for its integration into the system. The malware uses its implementation of an encrypted file system to store its data. Regin modules are present in 32-bit and 64-bit variants. Data theft is carried out using drivers that Regin installs into the system. The malware has the ability to compromise GSM-networks.
')
The first reports that Merkel’s office computers and her own were infected with Regin appeared last year. Also, Regin has been the victim of users in many countries, including Russia, Saudi Arabia, Mexico, Ireland, India and other countries. The largest number of virus infections accounted for private and telecommunications companies.
Fig. Regin Platform Architecture (Symantec data) .
To install implants (Regin modules) into the system, an approach based on loaders of several levels is used, on each of which a code is decrypted for the next one. The malicious program specializes in stealing screenshots, keystrokes, network traffic, web browser passwords, account data, virtual memory data of necessary processes, electronic messages, etc.
ESET AV products detect Regin modules as Win32 / Regin and Win64 / Regin.
Source: https://habr.com/ru/post/269521/
All Articles