Regin: Another Military-Grade Malware
Regin is another military–grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.
EDITED TO ADD (12/10): More information.
Nicholas Weaver • November 25, 2014 9:15 AM
Kasperski is confirming this as the malcode used in the Quisquater attack.
Wired states that it is “similar” to the Belgacom (known GCHQ program), while the Intercept identifies it as Regin (and provides a link to the presumed VirusTotal upload involved in the investigation of Belgacom).
There are also numerous other features that suggest NSA/GCHQ:
Regin is a complex, modular malcode framework which has a multi-stage bootstrap process to start up (or remove itself) and stores its later-stage modules on disk in encrypted virtual file systems.
Its designed as a plug-in architecture, where you have the base malcode and then programmable plugins for specific tasks. We know the NSA uses this sort of architecture for their malcode: UNITEDRAKE and STRAIGHTBIZARRE are specific frameworks for modular malcode referred to in the ANT catalog.
Its probably written by English speakers, and uses some NSA-like codewords internally (including all-caps), including LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH, U_STARBUCKS, ‘shit’, and initializing a CRC with 31337.
It injects a new root certificate into the target’s certificate store.
One captured module was specifically to target Errikson GSM basestations/control systems, and logs indicate it was being used against Afghanistan.
So yes, this not only appears to be NSA/GCHQ’s malcode framework, but this malcode does appear to have been used to target NATO allies (Belgium, Germany) and NATO allied citizens (Quisquater).