Malware Instrumentation Application to Regin Analysis
The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering.
An introduction to the Regin development framework is provided along with instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit.
As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.
 Kaspersky Lab Report, “The regin platform nation-state ownage of gsm networks,” https://securelist.com/files/2014/11/Kaspersky Lab whitepaper Regin platform eng.pdf, 2014.
 Omer Coskun, “Why nation-state malwares target telco networks,” https://www.slideshare.net/merCokun1/defcon23-why-nationstatemalwaretargettelcoomercoskun-51440112, 2015.
 Paul Rascagneres and Eddy Willems, “Regin, an old but sophisticated `cyber espionage toolkit platform,” https://blog.gdatasoftware.com/blog/article/regin-an-old-but-sophisticated-cyber-espionage-toolkit-platform.html, 2014.
 EmergingThreats, “Regin rules (requries apr module) and flash detection updates,” https://github.com/EmergingThreats/et-luajit-scripts/blob/master/luajit.rules.
 Paul Ducklin, “Do terrorists use spam to shroud their secrets?” https://nakedsecurity.sophos.com/2015/01/19/do-terrorists-use-spam-to-shroud-their-secrets, 2014.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.