[Horgh]

Old stuff detected since 2011, symantec published a whitepaper about it today.
Looks interesting anyway.

Whitepaper : http://www.symantec.com/content/en/us/e ... alysis.pdf

Samples attached :

2c8b9d2885543d7ade3cae98225e263b
4b6b86c7fec1c574706cecedf44abded
187044596bc1328efa0ed636d8aa4a5c
06665b96e293b23acc80451abb413e50
d240f06e98c8d3e647cbf4d442d79475
6662c390b2bbbd291ec7987388fc75d7
ffb0b9b5b610191051a7bdf0806e1e47
b29ca4f22ae7b7b25f79c1d4a421139d
1c024e599ac055312a4ab75b3950040a
ba7bb65634ce1e30c1e5415be3d1db1d
b505d65721bb2453d5039a389113b566
b269894f434657db2b15949641a67532
bfbe8c3ee78750c3a520480700e440f8

All the ones mentionned in the paper appendix.

[N3mes1s]

Post from f-secure:
https://www.f-secure.com/weblog/archives/00002766.html

yara rules:

http://pastebin.com/0ZEWvjsC

Code: Select all

rule Regin_APT_KernelDriver_Generic_A {
	meta:
		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
		author = "@Malwrsignatures - included in APT Scanner THOR"
		date = "23.11.14"
		hash1 = "187044596bc1328efa0ed636d8aa4a5c"
		hash2 = "06665b96e293b23acc80451abb413e50"
		hash3 = "d240f06e98c8d3e647cbf4d442d79475"
	strings:
		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
		$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
		
		$s0 = "atapi.sys" fullword wide
		$s1 = "disk.sys" fullword wide
		$s3 = "h.data" fullword ascii
		$s4 = "\\system32" fullword ascii
		$s5 = "\\SystemRoot" fullword ascii
		$s6 = "system" fullword ascii
		$s7 = "temp" fullword ascii
		$s8 = "windows" fullword ascii

		$x1 = "LRich6" fullword ascii
		$x2 = "KeServiceDescriptorTable" fullword ascii		
	condition:
		$m0 at 0 and $m1 and  	
		all of ($s*) and 1 of ($x*)
}

rule Regin_APT_KernelDriver_Generic_B {
	meta:
		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
		author = "@Malwrsignatures - included in APT Scanner THOR"
		date = "23.11.14"
		hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
		hash2 = "bfbe8c3ee78750c3a520480700e440f8"
		hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
		hash4 = "06665b96e293b23acc80451abb413e50"
		hash5 = "2c8b9d2885543d7ade3cae98225e263b"
		hash6 = "4b6b86c7fec1c574706cecedf44abded"
		hash7 = "187044596bc1328efa0ed636d8aa4a5c"
		hash8 = "d240f06e98c8d3e647cbf4d442d79475"
		hash9 = "6662c390b2bbbd291ec7987388fc75d7"
		hash10 = "1c024e599ac055312a4ab75b3950040a"
		hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
		hash12 = "b505d65721bb2453d5039a389113b566"
		hash13 = "b269894f434657db2b15949641a67532"
	strings:
		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
		$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
		$s2 = "H.data" fullword ascii nocase
		$s3 = "INIT" fullword ascii
		$s4 = "ntoskrnl.exe" fullword ascii
		
		$v1 = "\\system32" fullword ascii
		$v2 = "\\SystemRoot" fullword ascii
		$v3 = "KeServiceDescriptorTable" fullword ascii	
		
		$w1 = "\\system32" fullword ascii
		$w2 = "\\SystemRoot" fullword ascii		
		$w3 = "LRich6" fullword ascii
		
		$x1 = "_snprintf" fullword ascii
		$x2 = "_except_handler3" fullword ascii
		
		$y1 = "mbstowcs" fullword ascii
		$y2 = "wcstombs" fullword ascii
		$y3 = "KeGetCurrentIrql" fullword ascii
		
		$z1 = "wcscpy" fullword ascii
		$z2 = "ZwCreateFile" fullword ascii
		$z3 = "ZwQueryInformationFile" fullword ascii
		$z4 = "wcslen" fullword ascii
		$z5 = "atoi" fullword ascii
	condition:
		$m0 at 0 and all of ($s*) and 
		( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) 
		and filesize < 20KB
}

rule Regin_APT_KernelDriver_Generic_C {
	meta:
		description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
		author = "@Malwrsignatures - included in APT Scanner THOR"
		date = "23.11.14"
		hash1 = "e0895336617e0b45b312383814ec6783556d7635"
		hash2 = "732298fa025ed48179a3a2555b45be96f7079712"		
	strings:
		$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 
	
		$s0 = "KeGetCurrentIrql" fullword ascii
		$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
		$s2 = "usbclass" fullword wide
		
		$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
		$x2 = "Universal Serial Bus Class Driver" fullword wide
		$x3 = "5.2.3790.0" fullword wide
		
		$y1 = "LSA Shell" fullword wide
		$y2 = "0Richw" fullword ascii		
	condition:
		$m0 at 0 and all of ($s*) and 
		( all of ($x*) or all of ($y*) ) 
		and filesize < 20KB
}

[Horgh]

http://securelist.com/blog/research/677 ... -networks/

A more detailed paper by Kaspersky.

Also, blogpost by F-Secure : https://www.f-secure.com/weblog/archives/00002766.html

[frame4-mdpro]

https://firstlook.org/theintercept/2014 ... -nsa-gchq/

Samples mentioned in article attached.

[TheExecuter]

Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.

[EP_X0FF]

Any other sample which is 'not' a driver?
an executable perhaps. It could give more insight.

Leaving aside the reasons for the appearance of this yet-another-most-advanced-malware-ever fairy tale they seems dealing with already infected machines, which mean they don't have original dropper as the driver which is described by symantec still need to be installed before it starts it "Stages". Overall this malware so far doesn't look anyhow interesting or "advanced".

[Patrick]

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion

Hilarious.

[EP_X0FF]

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion

Hilarious.

I stopped reading this doc after seeing this. Presenting developers incompetence as something "intended to be part of stealth" (just to fulfill overall paranoia) are revealing incompetence level of document author itself, so I suggest author go and perform suicide, don't forget to check IRQL before. I guess the reasons of this checks are simple, probably it is stupid "workaround" for IRQL reason BSOD. Or they installed low level hooks (which is hilarious itself as self-revealing) with logging of the data so they need this check to be able to work with file system as the hooks can be triggered at any level.

It somehow remembered me case of one popular antivirus software I reversed long time ago. Their driver was full of strange things, dozens checks with MmSystemRangeStart, after each memory allocation for example p=ExAllocatePool(); if (p > MmSystemRangeStart) etc.

P.S.
It is a bit speculative, as I don't have right now at hand anything to check this myself.

[EP_X0FF]

Reconstructed from memory dump Regin driver mentioned in above article.

You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.

Nothing interesting.

The above

probably in order to operate as silently as possible and to prevent possible IRQL confusion

is a macro PAGED_CODE(), nothing more, unrelated anyhow to stealth or whatever. Yet again so-called "mass media reversers" (we call them internet clowns) jumping to conclusions lacking any kind of kernel mode drivers development experience.

From what I saw in docs and malware actual bodies (despite the fact of GSM abuse is interesting feature) there is a strong indication that our loved legalized malware production companies are trying to make elephant out of the fly. I do not know how much they paid for it but seems it is enough.

[Patrick]

Reconstructed from memory dump Regin driver mentioned in above article.

You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.

Nothing interesting.

The above

probably in order to operate as silently as possible and to prevent possible IRQL confusion

is a macro PAGED_CODE(), nothing more, unrelated anyhow to stealth or whatever.

This is what I assumed it was, which is why it was absolutely hilarious to me.

One of my favorite parts about malware that reaches the media is how journalists and authors of articles with zero kernel development background always label the malware as 'top-tier' or 'the most sophisticated'. Never gets old.