Malware Instrumentation Application to Regin Analysis

  • Matthieu Kaczmarek


The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering.

An introduction to the Regin development framework is provided along with instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit.

As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.


Symantec Security Response, “Regin: Top-tier espionage tool enables stealthy surveillance,” response/whitepapers/regin-analysis.pdf, 2014.

Kaspersky Lab Report, “The regin platform nation-state ownage of gsm networks,” Lab whitepaper Regin platform eng.pdf, 2014.

Omer Coskun, “Why nation-state malwares target telco networks,”, 2015.

Paul Rascagneres and Eddy Willems, “Regin, an old but sophisticated `cyber espionage toolkit platform,”, 2014.

EmergingThreats, “Regin rules (requries apr module) and flash detection updates,”

Paul Ducklin, “Do terrorists use spam to shroud their secrets?”, 2014.

Conference proceedings