WinNT/Regin

Forum for analysis and discussion about malware.

WinNT/Regin

Postby Horgh » Sun Nov 23, 2014 7:39 pm

Old stuff detected since 2011, symantec published a whitepaper about it today.
Looks interesting anyway.

Whitepaper : http://www.symantec.com/content/en/us/e ... alysis.pdf

Samples attached :

2c8b9d2885543d7ade3cae98225e263b
4b6b86c7fec1c574706cecedf44abded
187044596bc1328efa0ed636d8aa4a5c
06665b96e293b23acc80451abb413e50
d240f06e98c8d3e647cbf4d442d79475
6662c390b2bbbd291ec7987388fc75d7
ffb0b9b5b610191051a7bdf0806e1e47
b29ca4f22ae7b7b25f79c1d4a421139d
1c024e599ac055312a4ab75b3950040a
ba7bb65634ce1e30c1e5415be3d1db1d
b505d65721bb2453d5039a389113b566
b269894f434657db2b15949641a67532
bfbe8c3ee78750c3a520480700e440f8

All the ones mentionned in the paper appendix.
You do not have the required permissions to view the files attached to this post.
Horgh
 
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France
Reputation point: 40

Re: Trojan:WinNT/Regin

Postby N3mes1s » Mon Nov 24, 2014 11:11 am

Post from f-secure:
https://www.f-secure.com/weblog/archives/00002766.html

yara rules:

http://pastebin.com/0ZEWvjsC

Code: Select all
rule Regin_APT_KernelDriver_Generic_A {
   meta:
      description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
      author = "@Malwrsignatures - included in APT Scanner THOR"
      date = "23.11.14"
      hash1 = "187044596bc1328efa0ed636d8aa4a5c"
      hash2 = "06665b96e293b23acc80451abb413e50"
      hash3 = "d240f06e98c8d3e647cbf4d442d79475"
   strings:
      $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
      $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
      
      $s0 = "atapi.sys" fullword wide
      $s1 = "disk.sys" fullword wide
      $s3 = "h.data" fullword ascii
      $s4 = "\\system32" fullword ascii
      $s5 = "\\SystemRoot" fullword ascii
      $s6 = "system" fullword ascii
      $s7 = "temp" fullword ascii
      $s8 = "windows" fullword ascii

      $x1 = "LRich6" fullword ascii
      $x2 = "KeServiceDescriptorTable" fullword ascii      
   condition:
      $m0 at 0 and $m1 and     
      all of ($s*) and 1 of ($x*)
}

rule Regin_APT_KernelDriver_Generic_B {
   meta:
      description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
      author = "@Malwrsignatures - included in APT Scanner THOR"
      date = "23.11.14"
      hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
      hash2 = "bfbe8c3ee78750c3a520480700e440f8"
      hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
      hash4 = "06665b96e293b23acc80451abb413e50"
      hash5 = "2c8b9d2885543d7ade3cae98225e263b"
      hash6 = "4b6b86c7fec1c574706cecedf44abded"
      hash7 = "187044596bc1328efa0ed636d8aa4a5c"
      hash8 = "d240f06e98c8d3e647cbf4d442d79475"
      hash9 = "6662c390b2bbbd291ec7987388fc75d7"
      hash10 = "1c024e599ac055312a4ab75b3950040a"
      hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
      hash12 = "b505d65721bb2453d5039a389113b566"
      hash13 = "b269894f434657db2b15949641a67532"
   strings:
      $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
      $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
      $s2 = "H.data" fullword ascii nocase
      $s3 = "INIT" fullword ascii
      $s4 = "ntoskrnl.exe" fullword ascii
      
      $v1 = "\\system32" fullword ascii
      $v2 = "\\SystemRoot" fullword ascii
      $v3 = "KeServiceDescriptorTable" fullword ascii   
      
      $w1 = "\\system32" fullword ascii
      $w2 = "\\SystemRoot" fullword ascii      
      $w3 = "LRich6" fullword ascii
      
      $x1 = "_snprintf" fullword ascii
      $x2 = "_except_handler3" fullword ascii
      
      $y1 = "mbstowcs" fullword ascii
      $y2 = "wcstombs" fullword ascii
      $y3 = "KeGetCurrentIrql" fullword ascii
      
      $z1 = "wcscpy" fullword ascii
      $z2 = "ZwCreateFile" fullword ascii
      $z3 = "ZwQueryInformationFile" fullword ascii
      $z4 = "wcslen" fullword ascii
      $z5 = "atoi" fullword ascii
   condition:
      $m0 at 0 and all of ($s*) and
      ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
      and filesize < 20KB
}

rule Regin_APT_KernelDriver_Generic_C {
   meta:
      description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
      author = "@Malwrsignatures - included in APT Scanner THOR"
      date = "23.11.14"
      hash1 = "e0895336617e0b45b312383814ec6783556d7635"
      hash2 = "732298fa025ed48179a3a2555b45be96f7079712"      
   strings:
      $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
   
      $s0 = "KeGetCurrentIrql" fullword ascii
      $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
      $s2 = "usbclass" fullword wide
      
      $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
      $x2 = "Universal Serial Bus Class Driver" fullword wide
      $x3 = "5.2.3790.0" fullword wide
      
      $y1 = "LSA Shell" fullword wide
      $y2 = "0Richw" fullword ascii      
   condition:
      $m0 at 0 and all of ($s*) and
      ( all of ($x*) or all of ($y*) )
      and filesize < 20KB
}
N3mes1s
 
Posts: 41
Joined: Wed Mar 09, 2011 5:17 pm
Reputation point: 5

Re: Trojan:WinNT/Regin

Postby Horgh » Mon Nov 24, 2014 2:54 pm

Horgh
 
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France
Reputation point: 40

Re: Trojan:WinNT/Regin

Postby frame4-mdpro » Mon Nov 24, 2014 5:47 pm

https://firstlook.org/theintercept/2014 ... -nsa-gchq/

Samples mentioned in article attached.
You do not have the required permissions to view the files attached to this post.
frame4-mdpro
 
Posts: 39
Joined: Wed Jul 13, 2011 1:53 am
Reputation point: 20

Re: Trojan:WinNT/Regin

Postby TheExecuter » Tue Nov 25, 2014 5:38 am

Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.
TheExecuter
 
Posts: 25
Joined: Sat Aug 10, 2013 5:02 pm
Reputation point: 0

Re: Trojan:WinNT/Regin

Postby EP_X0FF » Tue Nov 25, 2014 10:05 am

Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.


Leaving aside the reasons for the appearance of this yet-another-most-advanced-malware-ever fairy tale they seems dealing with already infected machines, which mean they don't have original dropper as the driver which is described by symantec still need to be installed before it starts it "Stages". Overall this malware so far doesn't look anyhow interesting or "advanced".
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: WinNT/Regin

Postby Patrick » Wed Nov 26, 2014 3:01 am

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion


Hilarious.
User avatar
Patrick
 
Posts: 19
Joined: Wed Jan 29, 2014 11:48 pm
Reputation point: 3

Re: WinNT/Regin

Postby EP_X0FF » Wed Nov 26, 2014 5:42 am

Patrick wrote:Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion


Hilarious.


I stopped reading this doc after seeing this. Presenting developers incompetence as something "intended to be part of stealth" (just to fulfill overall paranoia) are revealing incompetence level of document author itself, so I suggest author go and perform suicide, don't forget to check IRQL before. I guess the reasons of this checks are simple, probably it is stupid "workaround" for IRQL reason BSOD. Or they installed low level hooks (which is hilarious itself as self-revealing) with logging of the data so they need this check to be able to work with file system as the hooks can be triggered at any level.

It somehow remembered me case of one popular antivirus software I reversed long time ago. Their driver was full of strange things, dozens checks with MmSystemRangeStart, after each memory allocation for example p=ExAllocatePool(); if (p > MmSystemRangeStart) etc.

P.S.
It is a bit speculative, as I don't have right now at hand anything to check this myself.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: WinNT/Regin

Postby EP_X0FF » Wed Nov 26, 2014 3:37 pm

Reconstructed from memory dump Regin driver mentioned in above article.

You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.

Nothing interesting.

The above
probably in order to operate as silently as possible and to prevent possible IRQL confusion
is a macro PAGED_CODE(), nothing more, unrelated anyhow to stealth or whatever. Yet again so-called "mass media reversers" (we call them internet clowns) jumping to conclusions lacking any kind of kernel mode drivers development experience.

From what I saw in docs and malware actual bodies (despite the fact of GSM abuse is interesting feature) there is a strong indication that our loved legalized malware production companies are trying to make elephant out of the fly. I do not know how much they paid for it but seems it is enough.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: WinNT/Regin

Postby Patrick » Wed Nov 26, 2014 7:51 pm

EP_X0FF wrote:Reconstructed from memory dump Regin driver mentioned in above article.

You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.

Nothing interesting.

The above
probably in order to operate as silently as possible and to prevent possible IRQL confusion
is a macro PAGED_CODE(), nothing more, unrelated anyhow to stealth or whatever.


This is what I assumed it was, which is why it was absolutely hilarious to me.

One of my favorite parts about malware that reaches the media is how journalists and authors of articles with zero kernel development background always label the malware as 'top-tier' or 'the most sophisticated'. Never gets old.
User avatar
Patrick
 
Posts: 19
Joined: Wed Jan 29, 2014 11:48 pm
Reputation point: 3

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests