Jump to content
Nytro

THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS

Kaspersky Lab Report

Version 1.0

24 November 2014

Contents
Introduction, history...................................................................................................................................................... 3
Initial compromise and lateral movement................................................................................................................... 3
The Regin platform........................................................................................................................................................ 4
Stage 1 – 32/64 bit................................................................................................................................................ 4
Stage 2 – loader – 32-bit....................................................................................................................................... 7
Stage 2 – loader – 64-bit....................................................................................................................................... 8
Stage 3 – 32-bit – kernel mode manager “VMEM.sys”........................................................................................ 8
Stage 3 – 64-bit....................................................................................................................................................... 9
Stage 4 (32-bit) / 3 (64-bit) – dispatcher module, ‘disp.dll’................................................................................. 9
32-bit.................................................................................................................................................................. 9
64-bit.................................................................................................................................................................. 9
Stage 4 – Virtual File Systems (32/64-bit)..........................................................................................................10
Unusual modules and artifacts..................................................................................................................................16
Artifacts..................................................................................................................................................................16
GSM targeting........................................................................................................................................................18
Communication and C&C...........................................................................................................................................20
Victim statistics ..........................................................................................................................................................22
Attribution....................................................................................................................................................................23
Conclusions.................................................................................................................................................................23
Technical appendix and indicators of compromise...................................................................................................24
Yara rules................................................................................................................................................................24
MD5s......................................................................................................................................................................25
Registry branches used to store malware stages 2 and 3.............................................................................26
C&C IPs...................................................................................................................................................................26
VFS RC5 decryption algorithm..............................................................................................................................27

Download: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...