Evidence shows Regin spy malware is used by Five Eyes intelligence
Kaspersky Lab researchers who have recently analyzed a copy of the malicious QWERTY module have discovered that the malware is identical in functionality to a Regin malware plugin, and are convinced that the developers of both pieces of malware are either the same or are working closely together.
The QWERTY sample has been provided to the researchers by Der Spiegel, and is ostensibly used by a number of governments belonging to the Five Eyes intelligence alliance in their computer network operations.
QWERTY is a keylogger, a plugin for the WARRIORPRIDE malware framework. Among the binaries it contains is 20123.sys, an significant part of whose source code can also be found in the Regin 50251 plugin.
“The QWERTY keylogger doesn’t function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225,” they also noted.
“As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.”
“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,”
Taking into consideration the complexity of the Regin platform, chances are little that someone could have duplicated the code without having access to the source code, they concluded.
The Regin backdoor has been around for years and was always considered to be a cyberespionage tool used by a nation state. It has been used to spy on government organizations, infrastructure operators, private businesses, researchers and private individuals.
It was also reportedly the malware used in the 2013 Belgacom and 2011 EU government hacks, and has been tied to British and American intelligence services.