When Der Spiegel published documents about the NSA’s cyber weapons, the authors also included a sample of malware dubbed QWERTY, which was a stealthy keylogger “designed to invisibly record all key strokes from an infected Windows computer.” The QWERTY (pdf) keylogger is a “plugin for WARRIORPRIDE," which is "part of the Five Eyes malware framework;" QWERTY was "designed to intercept all keyboard keys pressed by the victim and record them for later inspection.” The Der Spiegel article asked people to study the sample of QWERTY malware code and sharp minds got to work on analyzing it.
Now Der Spiegel has reported that new analysis by Kaspersky Lab researchers found that QWERTY is the “keylogger-module from Regin.” Kaspersky’s analysis “provides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which includes the US, Britain, Canada, Australia and New Zealand.”
In case you don’t know about Regin, in November, Symantec called the advanced malware a “top-tier espionage tool” for secret surveillance. It was sophisticated like Stuxnet and Duqu; it was “highly suited for persistent, long term surveillance operations against targets.” Although the researchers had seen Regin used in less than 100 attacks (pdf), it provided “its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.”
F-Secure researchers said they believed Regin was “in the same category of highly sophisticated espionage campaigns" like "Stuxnet, Flame, and Turla/Snake,” but that the malware didn’t come out of Russia or China.
Kaspersky Lab previously summed up Regin as “a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.” They believe the malware has been around for about 10 years and 27 different victims had been targeted by Regin. They identified 14 countries that had been victims of the malware: Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria.
But now that Kaspersky Lab has analyzed the QWERTY malware published by Der Spiegel via Snowden, researchers Costin Raiu and Igor Soumenkov discovered that “the QWERTY malware is identical in functionality to the Regin 50251 plugin.” They told Der Spiegel, “We are certain that we are looking at the keylogger-module from Regin.”
QWERTY as a plugin for Regin
When analyzing the QWERTY module, Kaspersky researchers found three binaries. They called 20123.sys “particularly interesting” because “it was built from source code that can also be found one Regin module, the ‘50251’ plugin.” They added, “One particular part of code is used in both the QWERTY 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin.” That serves as solid proof that the QWERTY plugin can only operate as part of the Regin platform.”
The researchers concluded:
The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225. Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.
Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS [Virtual File System], meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.
We will surely hear more about Regin; just last week, Kaspersky published its analysis of Hopscotch and Legspin, two older “stand alone tools” developed even before Regin. While Hopscotch was primarily used for “lateral movement,” they called Legspin a “powerful backdoor” that dates back to 2002-2003.