Malware Instrumentation Application to Regin Analysis

  • Matthieu Kaczmarek

Abstract

The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering.

An introduction to the Regin development framework is provided along with instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit.

As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.

References

[1] Symantec Security Response, “Regin: Top-tier espionage tool enables stealthy surveillance,” https://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/regin-analysis.pdf, 2014.
[2] Kaspersky Lab Report, “The regin platform nation-state ownage of gsm networks,” https://securelist.com/files/2014/11/Kaspersky Lab whitepaper Regin platform eng.pdf, 2014.
[3] Omer Coskun, “Why nation-state malwares target telco networks,” https://www.slideshare.net/merCokun1/defcon23-why-nationstatemalwaretargettelcoomercoskun-51440112, 2015.
[4] Paul Rascagneres and Eddy Willems, “Regin, an old but sophisticated `cyber espionage toolkit platform,” https://blog.gdatasoftware.com/blog/article/regin-an-old-but-sophisticated-cyber-espionage-toolkit-platform.html, 2014.
[5] EmergingThreats, “Regin rules (requries apr module) and flash detection updates,” https://github.com/EmergingThreats/et-luajit-scripts/blob/master/luajit.rules.
[6] Paul Ducklin, “Do terrorists use spam to shroud their secrets?” https://nakedsecurity.sophos.com/2015/01/19/do-terrorists-use-spam-to-shroud-their-secrets, 2014.
Published
2015-12-21
How to Cite
KACZMAREK, Matthieu. Malware Instrumentation Application to Regin Analysis. The Journal on Cybercrime & Digital Investigations, [S.l.], v. 1, n. 1, p. 1-12, dec. 2015. ISSN 2494-2715. Available at: <https://journal.cecyf.fr/ojs/index.php/cybin/article/view/2>. Date accessed: 25 june 2017. doi: https://doi.org/10.18464/cybin.v1i1.2.
Section
Conference proceedings